panda_linux/overlay/etc/firewall.sh

#!/bin/sh

# A Sample OpenVPN-aware firewall.

# eth0 is connected to the internet.
# eth1 is connected to a private subnet.

VPNIF=tun0
LANIF=eth0

PRIVATE=10.42.23.0/24

# Loopback address
LOOP=127.0.0.1

# Delete old iptables rules
# and temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do
  iptables -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        iptables -t $table -F $chain
      fi
  done
  iptables -t $table -X
done

# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Prevent external packets from using loopback addr
iptables -A INPUT -i $LANIF -s $LOOP -j DROP
iptables -A FORWARD -i $LANIF -s $LOOP -j DROP
iptables -A INPUT -i $LANIF -d $LOOP -j DROP
iptables -A FORWARD -i $LANIF -d $LOOP -j DROP

# Anything coming from the Network should have a real Internet address,
# or a known "Uninetz" private address (172.16.0.0/12)

iptables -N Antispoof
iptables -A FORWARD -i $LANIF -s 192.168.0.0/16 -j Antispoof
iptables -A FORWARD -i $LANIF -s 10.0.0.0/8 -j Antispoof
iptables -A INPUT -i $LANIF -s 192.168.0.0/16 -j Antispoof
iptables -A INPUT -i $LANIF -s 10.0.0.0/8 -j Antispoof
iptables -A Antispoof -j LOG --log-prefix "ANTISPOOFIN "
iptables -A Antispoof -j DROP

# Block outgoing NetBios (if you have windows machines running
# on the private subnet).  This will not affect any NetBios
# traffic that flows over the VPN tunnel, but it will stop
# local windows machines from broadcasting themselves to
# the network.
iptables -A FORWARD -p tcp --sport 137:139 -o $LANIF -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o $LANIF -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o $LANIF -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o $LANIF -j DROP

# Check source address validity on packets going out to network
iptables -N SourceAddr
iptables -A OUTPUT -s $PRIVATE -o $LANIF -j SourceAddr
iptables -A SourceAddr -j LOG --log-prefix "SOURCEADDR "
iptables -A SourceAddr -j DROP

# Keep state of connections from local machine and private subnets
iptables -A OUTPUT -m state --state NEW -o $LANIF -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o $LANIF -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow local loopback
iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT

# Allow useful ICMP, and forward it too
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11/0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11/1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0/0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 11/0 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 11/1 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 0/0 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 3 -j ACCEPT

# Allow services such as ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT -m state --state NEW

iptables -A INPUT -p udp --dport 1194 -j ACCEPT -m state --state NEW

# Allow packets from TUN/TAP devices.
# When OpenVPN is run in a secure mode,
# it will authenticate packets prior
# to their arriving on a tun or tap
# interface.  Therefore, it is not
# necessary to add any filters here,
# unless you want to restrict the
# type of packets which can flow over
# the tunnel.

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

# Catchall
iptables -A INPUT -j LOG --log-prefix "CATCHALL "
iptables -A FORWARD -j LOG --log-prefix "CATCHALL "

# Masquerade local subnet
iptables -t nat -A POSTROUTING -s $PRIVATE -o $LANIF -j MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward


## Setup IPv6

IP6PRIVATE=2001:7c0:409:8e78::/64
IP6LANIP=2001:7c0:409:8e78::117:221

# Delete old iptables rules
# and temporarily block all traffic.
ip6tables -P OUTPUT  DROP
ip6tables -P INPUT   DROP
ip6tables -P FORWARD DROP

cat /proc/net/ip6_tables_names | while read table; do
  ip6tables -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        ip6tables -t $table -F $chain
      fi
  done
  ip6tables -t $table -X
done

# Set default policies
ip6tables -P OUTPUT ACCEPT
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP

ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

# Loopback
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Source spoof filtering from us
#ip6tables -N SSOutFilterLAN
#ip6tables -A OUTPUT -o $LANIF -j SSOutFilterLAN
#ip6tables -A FORWARD -o $LANIF -j SSOutFilterLAN
#ip6tables -A SSOutFilterLAN -s $IP6LANIP -j RETURN
#ip6tables -A SSOutFilterLAN -s fe80::/10 -j RETURN
#ip6tables -A SSOutFilterLAN -j LOG --log-prefix "SOURCESPOOFOUT6 "
#ip6tables -A SSOutFilterLAN -j DROP

# Source spoof filtering to us
ip6tables -N SSInFilterLAN
ip6tables -A INPUT -i $LANIF -s $IP6LANIP -j SSInFilterLAN
ip6tables -A SSInFilterLAN -j LOG --log-prefix "SOURCESPOOFIN6 "
ip6tables -A SSInFilterLAN -j DROP

# Route errors
ip6tables -N REOutFilterLAN
ip6tables -A OUTPUT -o $LANIF -d $IP6LANIP -j REOutFilterLAN
ip6tables -A FORWARD -o $LANIF -d $IP6LANIP -j REOutFilterLAN
ip6tables -A REOutFilterLAN -j LOG --log-prefix "ROUTEERR6 "
ip6tables -A REOutFilterLAN -j DROP

# State tracking
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ssh and openvpn access
ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p tcp --dport ssh -m state --state NEW -j ACCEPT
ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p udp --dport 1194 -m state --state NEW -j ACCEPT

# Allow useful ICMPv6
ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 128/0   -m state --state NEW  -j ACCEPT
ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 3/0   -m state --state NEW  -j ACCEPT
ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 3/1   -m state --state NEW  -j ACCEPT
ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 2  -m state --state NEW  -j ACCEPT
ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 1  -m state --state NEW  -j ACCEPT
ip6tables -A INPUT  -i $LANIF -p ipv6-icmp  -m icmp6 --icmpv6-type 129/0   -m state --state NEW  -j ACCEPT

# Allow NDP
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j ACCEPT
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j ACCEPT
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j ACCEPT
ip6tables -N NoRouterAdv
ip6tables -A OUTPUT -o $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j NoRouterAdv # Protect from misconfiguration (we are not a router)
ip6tables -A FORWARD -o $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j NoRouterAdv
ip6tables -A NoRouterAdv -j LOG --log-prefix "NORADV6 "
ip6tables -A NoRouterAdv -j DROP

ip6tables -A INPUT -j LOG --log-prefix "CATCHALL6 "
ip6tables -A FORWARD -j LOG --log-prefix "CATCHALL6 "