national.m4: Use public NTP servers.

[firewall] / local.m4

### -*-sh-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Local configuration.

m4_divert(6)m4_dnl
## Default NTP servers.
defconf(ntp_servers,
        "81.187.26.174 90.155.23.205 2001:8b0:0:23::205 185.73.44.6 2001:ba8:0:2c06::")

m4_divert(-1)
###--------------------------------------------------------------------------
### Packet classification.

## IPv4 addressing.
##
## There are two small blocks of publicly routable IPv4 addresses, and a
## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28
##              House border network (dmz).  We have all of these; the loose
##              address is for the router.
##
## The latter is the block 172.29.196.0/22.  Currently the low half is
## unallocated (and may be returned to the G-RIN); the remaining addresses
## are allocated as follows.
##
## 172.29.198.0/24  Untrusted networks.
##      .0/25           house wireless net
##      .128/28         iodine (IP-over-DNS) network
##      .144/28         hippotat (IP-over-HTTP) network
##      .160/27         untrusted virtual network
##
## 172.29.199.0/24  Trusted networks.
##      .0/25           house wired network
##      .128/27         mobile VPN hosts
##      .160/28         reserved, except .160/30 allocated for ITS
##      .176/28         internal colocated network
##      .192/27         house safe network
##      .224/27         anycast services

## IPv6 addressing.
##
## There are five blocks of publicly routable IPv6 addresses, though some of
## them aren't very interesting.  The ranges are as follows.
##
## 2001:8b0:c92::/48
##              Main house range (aaisp).  See below for allocation policy.
##              There is no explicit DMZ allocation (and no need for one).
##
## Addresses in the /64 networks are simply allocated in ascending order.
## The /48s are split into /64s by appending a 16-bit network number.  The
## top nibble of the network number classifies the network, as follows.
##
## axxx         Virtual, untrusted
## 8xxx         Untrusted
## 6xxx         Virtual, safe
## 4xxx         Safe
## 0xxx         Unsafe, trusted
##
## These have been chosen so that network properties can be deduced by
## inspecting bits of the network number:
##
## Bit 15       If set, the network is untrusted; otherwise it is trusted.
## Bit 14       If set, the network is safe; otherwise it is unsafe.
##
## Finally, the low-order nibbles identify the site.
##
## 0            No specific site: mobile VPN endpoints or anycast addresses.
## 1            House.
## fff          Local border network.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass scary       scary           trusted             vpnnat mcast
defnetclass untrusted   scary untrusted trusted                    mcast
defnetclass trusted     scary untrusted trusted safe noloop vpnnat mcast
defnetclass safe                        trusted safe noloop vpnnat mcast
defnetclass noloop                      trusted safe               mcast
defnetclass vpnnat      scary           trusted safe               mcast

defnetclass link
defnetclass mcast
m4_divert(-1)

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.

## House networks.
defnet dmz trusted
        addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64
        via unsafe untrusted
defnet unsafe trusted
        addr 172.29.199.0/25 2001:8b0:c92:1::/64
        via househub
defnet safe safe
        addr 172.29.199.192/27 2001:8b0:c92:4001::/64
        via househub
defnet untrusted untrusted
        addr 172.29.198.0/25 2001:8b0:c92:8001::/64
        via househub

defnet househub virtual
        via housebdry dmz unsafe safe untrusted
defnet housebdry virtual
        via househub hub

## House hosts.
defhost radius
        hosttype router
        iface eth0 dmz unsafe safe untrusted vpn sgo default
        iface eth1 dmz unsafe safe untrusted vpn sgo default
        iface eth2 dmz unsafe safe untrusted vpn sgo
        iface eth3 unsafe untrusted vpn default
        iface ppp0 default
        iface t6-he default
        iface vpn-precision vpn sgo
        iface vpn-chiark sgo
        iface vpn-+ vpn
defhost roadstar
        iface eth0 dmz unsafe
        iface eth1 dmz unsafe
defhost jem
        iface eth0 dmz unsafe
        iface eth1 dmz unsafe
defhost universe
        iface eth0 dmz unsafe
        iface eth1 dmz unsafe
defhost artist
        hosttype router
        iface eth0 dmz unsafe untrusted
        iface eth1 dmz unsafe untrusted
        iface eth3 unsafe untrusted
defhost vampire
        hosttype router
        iface eth0.4 dmz unsafe untrusted safe vpn sgo
        iface eth0.5 dmz unsafe untrusted safe vpn sgo
        iface eth0.6 dmz unsafe safe untrusted vpn sgo
        iface eth0.7 unsafe untrusted vpn
        iface vpn-precision vpn sgo
        iface vpn-chiark sgo
        iface vpn-+ vpn
defhost ibanez
        iface br-dmz dmz unsafe
        iface br-unsafe unsafe
defhost orange
        iface wlan0 untrusted
        iface vpn-radius unsafe
defhost groove
        iface eth0 unsafe
        iface wlan0 untrusted
        iface vpn-radius unsafe

defhost gibson
        hosttype client
        iface eth0 unsafe

## Formerly colocated hosts.
defhost fender
        iface br-dmz dmz unsafe
        iface br-unsafe dmz unsafe
defhost precision
        hosttype router
        iface eth0 dmz unsafe vpn sgo
        iface eth1 dmz unsafe vpn sgo
        iface vpn-mango binswood
        iface vpn-chiark sgo
        iface vpn-national upn
        iface vpn-mdwdev upn
        iface vpn-+ vpn
defhost telecaster
        iface eth0 dmz unsafe vpn sgo
        iface eth1 dmz unsafe vpn sgo
defhost stratocaster
        iface eth0 dmz unsafe vpn sgo
        iface eth1 dmz unsafe vpn sgo
defhost jazz
        hosttype router
        iface eth0 dmz unsafe vpn sgo
        iface eth1 dmz unsafe vpn sgo
        iface dns0 iodine
        iface hippo-svc hippotat
        iface vpn-+ vpn

## Stunt connectivity networks.
defnet iodine untrusted
        addr 172.29.198.128/28
        via colohub
defnet hippotat untrusted
        addr 172.29.198.144/28
        via colohub


## Other networks.
defnet hub virtual
        via housebdry
defnet sgo noloop
        addr !172.29.198.0/23
        addr !10.165.27.0/24
        addr 10.0.0.0/8
        addr 172.16.0.0/12
        addr 192.168.0.0/16
        via househub
defnet vpn trusted
        addr 172.29.199.128/27 2001:8b0:c92:6000::/64
        via househub
        host crybaby 1 ::1:1
        host terror 2 ::2:1
        host orange 3 ::3:1
        host haze 4 ::4:1
        host spirit 9 ::9:1
        host groove 10 ::10:1
defnet anycast trusted
        addr 172.29.199.224/27 2001:8b0:c92:0::/64
        via dmz unsafe safe untrusted vpn nvpn
defnet default scary
        addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \
                2001:8b0:c92::/48
        via dmz unsafe untrusted
defnet upn untrusted
        addr 172.29.198.160/27 2001:8b0:c92:a000::/64
        via househub
        host national 1 ::1:1
        host mdwdev 2 ::2:1

## Linode hosts.
defhost national
        iface eth0 default
        iface vpn-precision househub

## Satellite networks.
defnet binswood vpnnat
        addr 10.165.27.0/24
        via househub
defhost mango
        hosttype router
        iface eth0 binswood default
        iface vpn-precision dmz default

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Connection tracking helper modules.

for i in ftp; do
  modprobe nf_conntrack_$i
done

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

case $forward in
  1)

    ## Only allow these packets if they're not fragmented.  (Don't trust safe
    ## hosts's fragment reassembly to be robust against malicious fragments.)
    ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
    ## of `! -f', so we do the negation using early return from a subchain.
    clearchain fwd-spec-nofrag
    run iptables -A fwd-spec-nofrag -j RETURN --fragment
    run ip6tables -A fwd-spec-nofrag -j RETURN \
            -m ipv6header --soft --header frag
    run ip46tables -A FORWARD -j fwd-spec-nofrag

    ## Allow ping from safe/noloop to untrusted networks.
    run iptables -A fwd-spec-nofrag -j ACCEPT \
            -p icmp --icmp-type echo-request \
            -m mark --mark $to_untrusted/$MASK_TO
    run iptables -A fwd-spec-nofrag -j ACCEPT \
            -p icmp --icmp-type echo-reply \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
            -p icmpv6 --icmpv6-type echo-request \
            -m mark --mark $to_untrusted/$MASK_TO
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
            -p icmpv6 --icmpv6-type echo-reply \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED

    ## Allow SSH from safe/noloop to untrusted networks.
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
            -p tcp --destination-port $port_ssh \
            -m mark --mark $to_untrusted/$MASK_TO
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
            -p tcp --source-port $port_ssh \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED

    ;;
esac

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
### I don't like having to do this, but since I don't know how to do proper
### multicast filtering, I'm just going to ban it from being forwarded.

errorchain poorly-understood REJECT

## Ban multicast destination addresses in forwarding.
case $forward in
  1)
    run iptables -A FORWARD -g poorly-understood \
            -d 224.0.0.0/4
    run ip6tables -A FORWARD -g poorly-understood \
            -d ff::/8
    ;;
esac

m4_divert(82)m4_dnl
###--------------------------------------------------------------------------
### Check for source routing.

clearchain check-srcroute

run iptables -A check-srcroute -g forbidden \
    -m ipv4options --any --flags lsrr,ssrr
run ip6tables -A check-srcroute -g forbidden \
    -m rt

for c in INPUT FORWARD; do
  for m in $from_scary $from_untrusted; do
    run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
  done
done

m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound
clearchain inbound-untrusted

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
        -s 0.0.0.0 -d 255.255.255.255 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
        -s 172.29.198.0/23 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps

## Allow incoming ping.  This is the only ICMP left.
run iptables -A inbound -j ACCEPT -p icmp
run ip6tables -A inbound -j ACCEPT -p icmpv6

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
run ip46tables -A inbound-untrusted -g forbidden
run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Allow responses from the scary outside world into the untrusted net, but
## don't let untrusted things run services.
case $forward in
  1)
    run ip46tables -A FORWARD -j ACCEPT \
        -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
        -m state --state ESTABLISHED,RELATED
    ;;
esac

## Otherwise process as indicated by the mark.
for i in $inchains; do
  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------