functions.m4, local.m4: Handle fragments in a useful way.

Add a function for defining standard rules on a chain: currently it only
provides fragment-handling policy.

The fragment policy is to pass fragments unmolested, except for TCP.  An
IP stack which can't reassemble fragments safely needs more protection
than we can provide here.

Note that this only affects `inbound' chains.  The forwarding rules
don't usually work at the level of individual ports, so this is OK; the
ones that do have been nobbled to refuse IP fragments.

diff --git a/functions.m4 b/functions.m4
index 80caf1db05a92502ea3fb49c4d79590ab73d0a97..85afc1083848a65b9f26bf63779d87f9ab751237 100644 (file)
--- a/functions.m4
+++ b/functions.m4
@@ -126,6 +126,20 @@ conntrack () {
   run iptables -A $chain -p tcp ! --syn -g bad-tcp
 }
 
   run iptables -A $chain -p tcp ! --syn -g bad-tcp
 }
 

+## commonrules CHAIN
+##
+## Add standard IP filtering rules to the CHAIN.
+commonrules () {
+  set -e
+  chain=$1
+
+  ## Pass fragments through, assuming that the eventual destination will sort
+  ## things out properly.  Except for TCP, that is, which should never be
+  ## fragmented.
+  run iptables -A $chain -p tcp -f -g tcp-fragment
+  run iptables -A $chain -f -j ACCEPT
+}
+

 ## allowservices CHAIN PROTO SERVICE ...
 ##
 ## Add rules to allow the SERVICES on the CHAIN.
 ## allowservices CHAIN PROTO SERVICE ...
 ##
 ## Add rules to allow the SERVICES on the CHAIN.

diff --git a/local.m4 b/local.m4
index 56c22538fd3b1d85a980f5faf57303a19aa03905..2b1b898198f49ca0c5fb52de51471a5fc8f20194 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -55,19 +55,19 @@ m4_divert(60)m4_dnl
 
 ## Allow ping from safe/noloop to untrusted networks.
 run iptables -A FORWARD -j ACCEPT \
 
 ## Allow ping from safe/noloop to untrusted networks.
 run iptables -A FORWARD -j ACCEPT \

-       -p icmp --icmp-type echo-request \
+       -p icmp ! -f --icmp-type echo-request \

        -m mark --mark $to_untrusted/$MASK_TO
 run iptables -A FORWARD -j ACCEPT \
        -m mark --mark $to_untrusted/$MASK_TO
 run iptables -A FORWARD -j ACCEPT \

-       -p icmp --icmp-type echo-reply \
+       -p icmp ! -f --icmp-type echo-reply \

        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
 
 ## Allow SSH from safe/noloop to untrusted networks.
 run iptables -A FORWARD -j ACCEPT \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
 
 ## Allow SSH from safe/noloop to untrusted networks.
 run iptables -A FORWARD -j ACCEPT \

-       -p tcp --destination-port $port_ssh \
+       -p tcp ! -f --destination-port $port_ssh \

        -m mark --mark $to_untrusted/$MASK_TO
 run iptables -A FORWARD -j ACCEPT \
        -m mark --mark $to_untrusted/$MASK_TO
 run iptables -A FORWARD -j ACCEPT \

-       -p tcp --source-port $port_ssh \
+       -p tcp ! -f --source-port $port_ssh \

        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
 
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
 


@@ -78,6 +78,7 @@ m4_divert(80)m4_dnl
 clearchain inbound
 
 ## Track connections.
 clearchain inbound
 
 ## Track connections.

+commonrules inbound

 conntrack inbound
 
 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 conntrack inbound
 
 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a