projects / firewall-squeep / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
update caw
[firewall-squeep] / router.sh
1 #!/bin/bash
2
3 set -e
4
5 # some system-specific config...
6
7 EXT=173.164.216.234
8 EXT_IF=eth2
9
10 INT='192.168.0.0/24'
11 INT_IF=eth5
12
13 EXT6_IF=he6
14 INT6_IF=eth5
15 SUBNET6='2001:470:1f05:cb8::/64'
16
17 UPLINK=11232 #kbit
18 BURST=15 #k
19
20 # note that behavior between v4 and v6 is slightly different
21
22 ###
23 ##
24 #
25 IPTABLES=$(which iptables)
26 IP6TABLES=$(which ip6tables)
27 IPSET=$(which ipset)
28 TC=$(which tc)
29 SYSCTL=/usr/sbin/sysctl
30 F2B_CTL="/etc/init.d/fail2ban"
31
32 if [ "commit" != "$1" ]; then
33 IPTABLES="echo ${IPTABLES}"
34 IP6TABLES="echo ${IP6TABLES}"
35 IPSET="echo ${IPSET}"
36 TC="echo ${TC}"
37 SYSCTL="echo ${SYSCTL}"
38 F2B_CTL="echo ${F2B_CTL}"
39 fi
40
41 # fail2ban writes its own chains, don't flush tables before shutting it down
42 f2b_needs_attention=0
43 if f2b_pid=$(cat /var/run/fail2ban/fail2ban.pid)
44 then
45 f2b_comm=`ps -o comm= -p ${f2b_pid}`
46 if [ $? -eq 0 ]; then
47 if [ "fail2ban-server" = "${f2b_comm}" ]; then
48 f2b_needs_attention=1
49 fi
50 fi
51 fi
52
53 function sysctl_set(){
54 if [ "$2" != $($SYSCTL -ne "$1") ]
55 then
56 echo "setting $1 to $2"
57 $SYSCTL -w "$1"="$2"
58 fi
59 }
60
61 # system config
62 # enable forwarding
63 sysctl_set net.ipv4.ip_forward 1
64 sysctl_set net.ipv6.conf.all.forwarding 1
65 # disable routing triangulation; queries go out same interface
66 sysctl_set net.ipv4.conf.all.rp_filter 1
67 # log malformed packets
68 #${SYSCTL} -w net.ipv4.conf.all.log_martians=1
69 sysctl_set net.ipv4.conf.all.log_martians 0
70 # disable redirects
71 sysctl_set net.ipv4.conf.all.send_redirects 0
72 sysctl_set net.ipv4.conf.all.accept_redirects 0
73 # disable source routed packets
74 sysctl_set net.ipv4.conf.all.accept_source_route 0
75 # do syncookies
76 sysctl_set net.ipv4.tcp_syncookies 1
77
78 if [ ${f2b_needs_attention} -eq 1 ]; then
79 ${F2B_CTL} stop
80 fi
81
82 # flush tables
83 ${IPTABLES} -F
84 ${IPTABLES} -F INPUT
85 ${IPTABLES} -F OUTPUT
86 ${IPTABLES} -F FORWARD
87 ${IPTABLES} -F -t mangle
88 ${IPTABLES} -F -t nat
89 ${IPTABLES} -X
90
91 $IP6TABLES -F
92 $IP6TABLES -F INPUT
93 $IP6TABLES -F OUTPUT
94 $IP6TABLES -F FORWARD
95 $IP6TABLES -F -t mangle
96 $IP6TABLES -X
97
98 # default policies
99 $IPTABLES -P INPUT DROP
100 $IPTABLES -P OUTPUT ACCEPT
101 $IPTABLES -P FORWARD ACCEPT
102
103 $IP6TABLES -P INPUT DROP
104 $IP6TABLES -P OUTPUT DROP
105 $IP6TABLES -P FORWARD DROP
106
107 ./shaper.sh ${EXT_IF}
108
109 # reserve a special place in hell for some people
110 $IPTABLES -N xenophobe
111 $IPTABLES -A xenophobe -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
112 $IPTABLES -A xenophobe -j REJECT --reject-with icmp-port-unreachable
113
114 $IP6TABLES -N xenophobe
115 $IP6TABLES -A xenophobe -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
116 $IP6TABLES -A xenophobe -j REJECT --reject-with icmp6-port-unreachable
117
118 # create ipsets for v4 and v6
119 for s in xenophobe sinokorea
120 do
121 $IPSET create "$s" -exist hash:net counters
122 $IPSET create "$s"6 -exist hash:net family inet6 counters
123 done
124 for s in trusted
125 do
126 $IPSET create "$s" -exist hash:net
127 $IPSET create "$s"6 -exist hash:net family inet6
128 done
129
130 # create ipsets shared by v4 and v6
131 for s in allowed_udp allowed_tcp
132 do
133 $IPSET create "$s" -exist bitmap:port range 0-65535
134 done
135
136
137 ###
138 ##
139 #
140
141 # allow local traffics
142 $IPTABLES -A INPUT -i lo -j ACCEPT
143 $IP6TABLES -A INPUT -i lo -j ACCEPT
144 $IP6TABLES -A OUTPUT -o lo -j ACCEPT
145
146 # allow anything out to v6
147 $IP6TABLES -A OUTPUT -o ${EXT6_IF} -j ACCEPT
148
149 # allow all internal traffic in
150 $IP6TABLES -I INPUT -i ${INT6_IF} -j ACCEPT
151
152 # allow icmp
153 $IPTABLES -A INPUT -p icmp -j ACCEPT
154 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
155 $IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT
156 $IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT
157
158 # drop source-route headered v6
159 $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2
160
161 # drop bad packets; these are all illegal combinations
162 for flags in 'ALL FIN,URG,PSH' 'ALL ALL' 'ALL SYN,RST,ACK,FIN,URG' 'ALL NONE' 'SYN,RST SYN,RST' 'SYN,FIN SYN,FIN'
163 do
164 $IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
165 done
166
167 # allow trusted things
168 $IPTABLES -A INPUT -m set --match-set trusted src -j ACCEPT
169 $IP6TABLES -A INPUT -m set --match-set trusted6 src -j ACCEPT
170
171 # drop sketchy things
172 $IPTABLES -A INPUT -m set --match-set xenophobe src -j xenophobe
173 $IP6TABLES -A INPUT -m set --match-set xenophobe6 src -j xenophobe
174
175 # drop asia from ssh and smtp
176 $IPTABLES -A INPUT -m set --match-set sinokorea src -m multiport -p tcp --dports ssh,smtp -j xenophobe
177 $IP6TABLES -A INPUT -m set --match-set sinokorea6 src -m multiport -p tcp --dports ssh,smtp -j xenophobe
178
179 # don't forward packets in
180 $IPTABLES -A FORWARD -i ${EXT_IF} -m conntrack --ctstate NEW,INVALID -j DROP
181
182 # forward from internal site subnet
183 $IP6TABLES -A FORWARD -i ${INT6_IF} -o ${EXT6_IF} -s ${SUBNET6} -m conntrack --ctstate NEW -j ACCEPT
184
185 # allow things we've dealt with
186 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
187 $IP6TABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
188 $IP6TABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
189
190 # accept ipv6 link-local
191 $IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT
192 $IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT
193
194 # accept ipv6 multicast
195 $IP6TABLES -A INPUT -s ff00::/8 -j ACCEPT
196 $IP6TABLES -A OUTPUT -s ff00::/8 -j ACCEPT
197
198 # many:1 NAT
199 $IPTABLES -t nat -A POSTROUTING -o ${EXT_IF} -j SNAT --to ${EXT}
200
201 # accept internal network traffic
202 $IPTABLES -A INPUT -i ${INT_IF} -j ACCEPT
203
204 ./services ${EXT_IF} ${EXT6_IF}
205
206 # load rules
207 # inserts, so stack order matters
208 ./sinokorea.sh
209 ./xenophobe.sh
210 ./trusted.sh
211
212 if [ ${f2b_needs_attention} -eq 1 ]; then
213 ${F2B_CTL} start
214 fi
squeep firewall skeleton - very basic initialization scripts for edge servers