projects / firewall-squeep / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
xeno add
[firewall-squeep] / router.sh
1 #!/bin/bash
2
3 set -e
4
5 # some system-specific config...
6
7 EXT=173.164.216.234
8 EXT_IF=eth2
9
10 INT='192.168.0.0/24'
11 INT_IF=eth5
12
13 EXT6_IF=he6
14 INT6_IF=eth5
15 SUBNET6='2001:470:1f05:cb8::/64'
16
17 # note that behavior between v4 and v6 is slightly different
18
19 ###
20 ##
21 #
22 IPTABLES=$(which iptables)
23 IP6TABLES=$(which ip6tables)
24 IPSET=$(which ipset)
25 TC=$(which tc)
26 SYSCTL=/usr/sbin/sysctl
27 F2B_CTL="/etc/init.d/fail2ban"
28
29 if [ "commit" != "$1" ]; then
30 IPTABLES="echo ${IPTABLES}"
31 IP6TABLES="echo ${IP6TABLES}"
32 IPSET="echo ${IPSET}"
33 TC="echo ${TC}"
34 SYSCTL="echo ${SYSCTL}"
35 F2B_CTL="echo ${F2B_CTL}"
36 fi
37
38 # fail2ban writes its own chains, don't flush tables before shutting it down
39 f2b_needs_attention=0
40 if f2b_pid=$(cat /var/run/fail2ban/fail2ban.pid)
41 then
42 f2b_comm=`ps -o comm= -p ${f2b_pid}`
43 if [ $? -eq 0 ]; then
44 if [ "fail2ban-server" = "${f2b_comm}" ]; then
45 f2b_needs_attention=1
46 fi
47 fi
48 fi
49
50 function sysctl_set(){
51 if [ "$2" != $($SYSCTL -ne "$1") ]
52 then
53 echo "setting $1 to $2"
54 $SYSCTL -w "$1"="$2"
55 fi
56 }
57
58 # system config
59 # enable forwarding
60 sysctl_set net.ipv4.ip_forward 1
61 sysctl_set net.ipv6.conf.all.forwarding 1
62 # disable routing triangulation; queries go out same interface
63 sysctl_set net.ipv4.conf.all.rp_filter 1
64 # log malformed packets
65 #${SYSCTL} -w net.ipv4.conf.all.log_martians=1
66 sysctl_set net.ipv4.conf.all.log_martians 0
67 # disable redirects
68 sysctl_set net.ipv4.conf.all.send_redirects 0
69 sysctl_set net.ipv4.conf.all.accept_redirects 0
70 # disable source routed packets
71 sysctl_set net.ipv4.conf.all.accept_source_route 0
72 # do syncookies
73 sysctl_set net.ipv4.tcp_syncookies 1
74
75 if [ ${f2b_needs_attention} -eq 1 ]; then
76 ${F2B_CTL} stop
77 fi
78
79 # flush tables
80 ${IPTABLES} -F
81 ${IPTABLES} -F INPUT
82 ${IPTABLES} -F OUTPUT
83 ${IPTABLES} -F FORWARD
84 ${IPTABLES} -F -t mangle
85 ${IPTABLES} -F -t nat
86 ${IPTABLES} -X
87
88 $IP6TABLES -F
89 $IP6TABLES -F INPUT
90 $IP6TABLES -F OUTPUT
91 $IP6TABLES -F FORWARD
92 $IP6TABLES -F -t mangle
93 $IP6TABLES -X
94
95 # default policies
96 $IPTABLES -P INPUT DROP
97 $IPTABLES -P OUTPUT ACCEPT
98 $IPTABLES -P FORWARD ACCEPT
99
100 $IP6TABLES -P INPUT DROP
101 $IP6TABLES -P OUTPUT DROP
102 $IP6TABLES -P FORWARD DROP
103
104 ./shaper.sh ${EXT_IF}
105
106 # reserve a special place in hell for some people
107 $IPTABLES -N xenophobe
108 $IPTABLES -A xenophobe -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
109 $IPTABLES -A xenophobe -j REJECT --reject-with icmp-port-unreachable
110
111 $IP6TABLES -N xenophobe
112 $IP6TABLES -A xenophobe -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
113 $IP6TABLES -A xenophobe -j REJECT --reject-with icmp6-port-unreachable
114
115 # create ipsets for v4 and v6
116 for s in xenophobe sinokorea
117 do
118 $IPSET create "$s" -exist hash:net counters
119 $IPSET create "$s"6 -exist hash:net family inet6 counters
120 done
121 for s in trusted
122 do
123 $IPSET create "$s" -exist hash:net
124 $IPSET create "$s"6 -exist hash:net family inet6
125 done
126
127 # create ipsets shared by v4 and v6
128 for s in allowed_udp allowed_tcp
129 do
130 $IPSET create "$s" -exist bitmap:port range 0-65535
131 done
132
133
134 ###
135 ##
136 #
137
138 # allow local traffics
139 $IPTABLES -A INPUT -i lo -j ACCEPT
140 $IP6TABLES -A INPUT -i lo -j ACCEPT
141 $IP6TABLES -A OUTPUT -o lo -j ACCEPT
142
143 # allow anything out to v6
144 $IP6TABLES -A OUTPUT -o ${EXT6_IF} -j ACCEPT
145
146 # allow all internal traffic in
147 $IP6TABLES -I INPUT -i ${INT6_IF} -j ACCEPT
148
149 # allow icmp
150 $IPTABLES -A INPUT -p icmp -j ACCEPT
151 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
152 $IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT
153 $IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT
154
155 # drop source-route headered v6
156 $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2
157
158 # drop bad packets; these are all illegal combinations
159 for flags in 'ALL FIN,URG,PSH' 'ALL ALL' 'ALL SYN,RST,ACK,FIN,URG' 'ALL NONE' 'SYN,RST SYN,RST' 'SYN,FIN SYN,FIN'
160 do
161 $IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
162 done
163
164 # allow trusted things
165 $IPTABLES -A INPUT -m set --match-set trusted src -j ACCEPT
166 $IP6TABLES -A INPUT -m set --match-set trusted6 src -j ACCEPT
167
168 # drop sketchy things
169 $IPTABLES -A INPUT -m set --match-set xenophobe src -j xenophobe
170 $IP6TABLES -A INPUT -m set --match-set xenophobe6 src -j xenophobe
171
172 # drop asia from ssh and smtp
173 $IPTABLES -A INPUT -m set --match-set sinokorea src -m multiport -p tcp --dports ssh,smtp -j xenophobe
174 $IP6TABLES -A INPUT -m set --match-set sinokorea6 src -m multiport -p tcp --dports ssh,smtp -j xenophobe
175
176 # don't forward packets in
177 $IPTABLES -A FORWARD -i ${EXT_IF} -m conntrack --ctstate NEW,INVALID -j DROP
178
179 # forward from internal site subnet
180 $IP6TABLES -A FORWARD -i ${INT6_IF} -o ${EXT6_IF} -s ${SUBNET6} -m conntrack --ctstate NEW -j ACCEPT
181
182 # allow things we've dealt with
183 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
184 $IP6TABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
185 $IP6TABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
186
187 # accept ipv6 link-local
188 $IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT
189 $IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT
190
191 # accept ipv6 multicast
192 $IP6TABLES -A INPUT -s ff00::/8 -j ACCEPT
193 $IP6TABLES -A OUTPUT -s ff00::/8 -j ACCEPT
194
195 # many:1 NAT
196 $IPTABLES -t nat -A POSTROUTING -o ${EXT_IF} -j SNAT --to ${EXT}
197
198 # accept internal network traffic
199 $IPTABLES -A INPUT -i ${INT_IF} -j ACCEPT
200
201 ./services ${EXT_IF} ${EXT6_IF}
202
203 # load rules
204 # inserts, so stack order matters
205 ./sinokorea.sh
206 ./xenophobe.sh
207 ./trusted.sh
208
209 if [ ${f2b_needs_attention} -eq 1 ]; then
210 ${F2B_CTL} start
211 fi
squeep firewall skeleton - very basic initialization scripts for edge servers