[firewall-squeep] / router.sh

#!/bin/bash

set -e

# some system-specific config...

EXT=173.164.216.234
EXT_IF=eth2

INT='192.168.0.0/24'
INT_IF=eth5

EXT6_IF=he6
INT6_IF=eth5
SUBNET6='2001:470:1f05:cb8::/64'

UPLINK=11232 #kbit
BURST=15 #k

# note that behavior between v4 and v6 is slightly different

###
##
#
IPTABLES=$(which iptables)
IP6TABLES=$(which ip6tables)
IPSET=$(which ipset)
TC=$(which tc)
SYSCTL=/usr/sbin/sysctl
F2B_CTL="/etc/init.d/fail2ban"

if [ "commit" != "$1" ]; then
        IPTABLES="echo ${IPTABLES}"
        IP6TABLES="echo ${IP6TABLES}"
        IPSET="echo ${IPSET}"
        TC="echo ${TC}"
        SYSCTL="echo ${SYSCTL}"
        F2B_CTL="echo ${F2B_CTL}"
fi

# fail2ban writes its own chains, don't flush tables before shutting it down
f2b_needs_attention=0
if f2b_pid=$(cat /var/run/fail2ban/fail2ban.pid)
then
        f2b_comm=`ps -o comm= -p ${f2b_pid}`
        if [ $? -eq 0 ]; then
                if [ "fail2ban-server" = "${f2b_comm}" ]; then
                        f2b_needs_attention=1
                fi
        fi
fi

function sysctl_set(){
        if [ "$2" != $($SYSCTL -ne "$1") ]
        then
                echo "setting $1 to $2"
                $SYSCTL -w "$1"="$2"
        fi
}

# system config
# enable forwarding
sysctl_set net.ipv4.ip_forward 1
sysctl_set net.ipv6.conf.all.forwarding 1
# disable routing triangulation; queries go out same interface
sysctl_set net.ipv4.conf.all.rp_filter 1
# log malformed packets
#${SYSCTL} -w net.ipv4.conf.all.log_martians=1
sysctl_set net.ipv4.conf.all.log_martians 0
# disable redirects
sysctl_set net.ipv4.conf.all.send_redirects 0
sysctl_set net.ipv4.conf.all.accept_redirects 0
# disable source routed packets
sysctl_set net.ipv4.conf.all.accept_source_route 0
# do syncookies
sysctl_set net.ipv4.tcp_syncookies 1

if [ ${f2b_needs_attention} -eq 1 ]; then
        ${F2B_CTL} stop
fi

# flush tables
${IPTABLES} -F
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -F -t mangle
${IPTABLES} -F -t nat
${IPTABLES} -X 

$IP6TABLES -F
$IP6TABLES -F INPUT
$IP6TABLES -F OUTPUT
$IP6TABLES -F FORWARD
$IP6TABLES -F -t mangle
$IP6TABLES -X

# default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP

./shaper.sh ${EXT_IF}

# reserve a special place in hell for some people
$IPTABLES -N xenophobe
$IPTABLES -A xenophobe -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
$IPTABLES -A xenophobe -j REJECT --reject-with icmp-port-unreachable

$IP6TABLES -N xenophobe
$IP6TABLES -A xenophobe -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
$IP6TABLES -A xenophobe -j REJECT --reject-with icmp6-port-unreachable

# create ipsets for v4 and v6
for s in xenophobe sinokorea
do
        $IPSET create "$s" -exist hash:net counters
        $IPSET create "$s"6 -exist hash:net family inet6 counters
done
for s in trusted
do
        $IPSET create "$s" -exist hash:net
        $IPSET create "$s"6 -exist hash:net family inet6
done

# create ipsets shared by v4 and v6 
for s in allowed_udp allowed_tcp
do
        $IPSET create "$s" -exist bitmap:port range 0-65535
done


###
##
#

# allow local traffics
$IPTABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -j ACCEPT

# allow anything out to v6
$IP6TABLES -A OUTPUT -o ${EXT6_IF} -j ACCEPT

# allow all internal traffic in
$IP6TABLES -I INPUT -i ${INT6_IF} -j ACCEPT

# allow icmp
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
$IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT
$IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT

# drop source-route headered v6
$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2

# drop bad packets; these are all illegal combinations
for flags in 'ALL FIN,URG,PSH' 'ALL ALL' 'ALL SYN,RST,ACK,FIN,URG' 'ALL NONE' 'SYN,RST SYN,RST' 'SYN,FIN SYN,FIN'
do
        $IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
done

# allow trusted things
$IPTABLES -A INPUT -m set --match-set trusted src -j ACCEPT
$IP6TABLES -A INPUT -m set --match-set trusted6 src -j ACCEPT

# drop sketchy things
$IPTABLES -A INPUT -m set --match-set xenophobe src -j xenophobe
$IP6TABLES -A INPUT -m set --match-set xenophobe6 src -j xenophobe

# drop asia from ssh and smtp
$IPTABLES -A INPUT -m set --match-set sinokorea src -m multiport -p tcp --dports ssh,smtp -j xenophobe
$IP6TABLES -A INPUT -m set --match-set sinokorea6 src -m multiport -p tcp --dports ssh,smtp -j xenophobe

# don't forward packets in
$IPTABLES -A FORWARD -i ${EXT_IF} -m conntrack --ctstate NEW,INVALID -j DROP

# forward from internal site subnet
$IP6TABLES -A FORWARD -i ${INT6_IF} -o ${EXT6_IF} -s ${SUBNET6} -m conntrack --ctstate NEW -j ACCEPT

# allow things we've dealt with
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# accept ipv6 link-local
$IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT
$IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT

# accept ipv6 multicast
$IP6TABLES -A INPUT -s ff00::/8 -j ACCEPT
$IP6TABLES -A OUTPUT -s ff00::/8 -j ACCEPT

# many:1 NAT
$IPTABLES -t nat -A POSTROUTING -o ${EXT_IF} -j SNAT --to ${EXT}

# accept internal network traffic
$IPTABLES -A INPUT -i ${INT_IF} -j ACCEPT

# accept list of external ports
$IPTABLES -A INPUT -i ${EXT_IF} -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
$IPTABLES -A INPUT -i ${EXT_IF} -p udp -m set --match-set allowed_udp dst -j ACCEPT
$IP6TABLES -A INPUT -i ${EXT6_IF} -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
$IP6TABLES -A INPUT -i ${EXT6_IF} -p udp -m set --match-set allowed_udp dst -j ACCEPT

# load rules
# inserts, so stack order matters
./sinokorea.sh
./xenophobe.sh
./trusted.sh

if [ ${f2b_needs_attention} -eq 1 ]; then
        ${F2B_CTL} start
fi