Update firewall scripts.

sample-rc.d/rc.firewall-float

@@ -3,18 +3,15 @@
 # The name of the main external interface.
 EX_IF="eth0"
 
-# The name of the Private network interface.
-PRI_IF="eth1"
-
 # IP addresses.
-PRIMARYIP="91.109.244.FIXME"
-PRIMARYIP6="2a02:2498:1:227::FIXME"
-FLOATINGIP="91.109.244.FIXME"
-FLOATINGIP6="2a02:2498:1:227::FIXME"
+PRIMARYIP="216.119.155.FIXME"
+PRIMARYIP6="2a02:2498:e004:2a::FIXME"
+FLOATINGIP="216.119.155.FIXME"
+FLOATINGIP6="2a02:2498:e004:2a::FIXME"
 
 # The IP ranges from where to accept unfiltered connections.
-UNFILTERED_RANGES_V4=('91.109.244.7-91.109.244.11' '91.109.244.78-91.109.244.79' '91.109.244.239-91.109.244.243' '185.176.90.169')
-UNFILTERED_RANGES_V6=('2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
+UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
+UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
 
 
 start_firewall() {
@@ -41,14 +38,6 @@ start_firewall() {
   iptables -t mangle -X
   ip6tables -t mangle -X
 
-  # Allow all loopback traffic.
-  iptables -A INPUT -i lo -j ACCEPT
-  ip6tables -A INPUT -i lo -j ACCEPT
-
-  # Allow all Private network traffic.
-  iptables -A INPUT -i "$PRI_IF" -j ACCEPT
-  ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT
-
   # Drop invalid packets on all interfaces.
   iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
   ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
@@ -60,6 +49,10 @@ start_firewall() {
   iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
   iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
 
+  # Allow all loopback traffic.
+  iptables -A INPUT -i lo -j ACCEPT
+  ip6tables -A INPUT -i lo -j ACCEPT
+
   # Allow unrestricted access from our IPs.
   for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
     iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
@@ -89,9 +82,7 @@ start_firewall() {
   ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
   ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
 
-  # Always allow SSH.
-  # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
-  # set back to defaults.  Any connections to the standard port will just get a 'connection refused' message, unless this happens.
+  # Allow SSH.
   iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
   ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
 

sample-rc.d/rc.firewall-guests

@@ -3,12 +3,9 @@
 # The name of the main external interface.
 EX_IF="eth0"
 
-# The name of the Private network interface.
-PRI_IF="eth1"
-
 # The IP ranges from where to accept unfiltered connections.
-UNFILTERED_RANGES_V4=('91.109.244.7-91.109.244.11' '91.109.244.78-91.109.244.79' '91.109.244.239-91.109.244.243' '185.176.90.169')
-UNFILTERED_RANGES_V6=('2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
+UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
+UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
 
 
 start_firewall() {
@@ -35,14 +32,6 @@ start_firewall() {
   iptables -t mangle -X
   ip6tables -t mangle -X
 
-  # Allow all loopback traffic.
-  iptables -A INPUT -i lo -j ACCEPT
-  ip6tables -A INPUT -i lo -j ACCEPT
-
-  # Allow all Private network traffic.
-  iptables -A INPUT -i "$PRI_IF" -j ACCEPT
-  ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT
-
   # Drop invalid packets on all interfaces.
   iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
   ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
@@ -54,6 +43,10 @@ start_firewall() {
   iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
   iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
 
+  # Allow all loopback traffic.
+  iptables -A INPUT -i lo -j ACCEPT
+  ip6tables -A INPUT -i lo -j ACCEPT
+
   # Allow unrestricted access from our IPs.
   for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
     iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
@@ -83,9 +76,7 @@ start_firewall() {
   ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
   ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
 
-  # Always allow SSH.
-  # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
-  # set back to defaults.  Any connections to the standard port will just get a 'connection refused' message, unless this happens.
+  # Allow SSH.
   iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
   ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
 

sample-rc.d/rc.firewall-hosts

@@ -4,8 +4,8 @@
 EX_IF="eth0"
 
 # The IP ranges from where to accept unfiltered connections.
-UNFILTERED_RANGES_V4=('91.109.244.7-91.109.244.11' '91.109.244.78-91.109.244.79' '91.109.244.239-91.109.244.243' '185.176.90.169')
-UNFILTERED_RANGES_V6=('2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
+UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
+UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
 
 
 start_firewall() {
@@ -32,10 +32,6 @@ start_firewall() {
   iptables -t mangle -X
   ip6tables -t mangle -X
 
-  # Allow all loopback traffic.
-  iptables -A INPUT -i lo -j ACCEPT
-  ip6tables -A INPUT -i lo -j ACCEPT
-
   # Drop invalid packets on all interfaces.
   iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
   ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
@@ -47,6 +43,10 @@ start_firewall() {
   iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
   iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
 
+  # Allow all loopback traffic.
+  iptables -A INPUT -i lo -j ACCEPT
+  ip6tables -A INPUT -i lo -j ACCEPT
+
   # Allow unrestricted access from our IPs.
   for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
     iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
@@ -76,9 +76,7 @@ start_firewall() {
   ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
   ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
 
-  # Always allow SSH.
-  # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
-  # set back to defaults.  Any connections to the standard port will just get a 'connection refused' message, unless this happens.
+  # Allow SSH.
   iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
   ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
 

sample-rc.d/rc.firewall-hypervisor-fry

@@ -0,0 +1,157 @@
+#!/bin/bash
+
+# The name of the main external interface.
+EX_IF="eth1"
+
+# The name of the VM network bridge interface.
+BR_IF="br0"
+
+# The IP ranges to accept unfiltered connections from.
+UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
+UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
+
+
+start_firewall() {
+  # Disable ICMP redirects.
+  # Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
+  # the sending host that it should forward subsequent packets to that same destination through a different gateway.
+  echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
+  echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
+  echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
+
+  # Proxy ARP is required for the VMs to use the network.
+  echo 1 >"/proc/sys/net/ipv4/conf/$EX_IF/proxy_arp"
+
+  # Flush old rules.
+  iptables -F
+  ip6tables -F
+  iptables -t nat -F
+  ip6tables -t nat -F
+  iptables -t mangle -F
+  ip6tables -t mangle -F
+
+  # Delete any custom chains.
+  iptables -X
+  ip6tables -X
+  iptables -t nat -X
+  ip6tables -t nat -X
+  iptables -t mangle -X
+  ip6tables -t mangle -X
+
+  # Drop invalid packets on all interfaces.
+  iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
+  ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
+
+  # Drop unroutable IPs on the external interface.
+  iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
+  ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
+  iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
+  iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
+  iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
+
+  # Drop the IPs that we've usurped.
+  iptables -A FORWARD -o "$EX_IF" -s 216.119.155.56/31 -j DROP
+  iptables -A FORWARD -o "$EX_IF" -s 216.119.155.62/31 -j DROP
+  iptables -A FORWARD -i "$EX_IF" -d 216.119.155.56/31 -j DROP
+  iptables -A FORWARD -i "$EX_IF" -d 216.119.155.62/31 -j DROP
+
+  # Allow all loopback traffic.
+  iptables -A INPUT -i lo -j ACCEPT
+  ip6tables -A INPUT -i lo -j ACCEPT
+
+  # Allow all traffic from the bridged network.
+  iptables -A INPUT -i "$BR_IF" -j ACCEPT
+  ip6tables -A INPUT -i "$BR_IF" -j ACCEPT
+
+  # Allow unrestricted access from our IPs.
+  for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
+    iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
+  done
+  for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
+    ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
+  done
+
+  # Allow packets of established connections and those related to them.
+  iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+  # Allow pings.
+  iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+
+  # Allow certain types of ICMP informational packets.
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
+
+  # Allow SSH.
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
+
+  iptables -P INPUT DROP
+  ip6tables -P INPUT DROP
+  iptables -P FORWARD ACCEPT
+  ip6tables -P FORWARD ACCEPT
+  iptables -P OUTPUT ACCEPT
+  ip6tables -P OUTPUT ACCEPT
+}
+
+stop_firewall() {
+  # Set default policies to ACCEPT.
+  iptables -P INPUT ACCEPT
+  ip6tables -P INPUT ACCEPT
+  iptables -P OUTPUT ACCEPT
+  ip6tables -P OUTPUT ACCEPT
+  iptables -P FORWARD ACCEPT
+  ip6tables -P FORWARD ACCEPT
+
+  # Flush rules.
+  iptables -F
+  ip6tables -F
+  iptables -t nat -F
+  ip6tables -t nat -F
+  iptables -t mangle -F
+  ip6tables -t mangle -F
+
+  # Delete any custom chains.
+  iptables -X
+  ip6tables -X
+  iptables -t nat -X
+  ip6tables -t nat -X
+  iptables -t mangle -X
+  ip6tables -t mangle -X
+
+  # Disable proxy ARP.
+  cat /proc/sys/net/ipv4/conf/default/proxy_arp >"/proc/sys/net/ipv4/conf/$EX_IF/proxy_arp"
+
+  # Reset ICMP redirects.
+  cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
+  cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
+  cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
+}
+
+
+case "$1" in
+  'start')
+      start_firewall
+    ;;
+  'stop')
+      stop_firewall
+    ;;
+  'restart')
+      stop_firewall
+      start_firewall
+    ;;
+  *)
+    echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
+    ERR=1
+    ;;
+esac

sample-rc.d/rc.firewall-hypervisors

@@ -3,12 +3,9 @@
 # The name of the main external interface.
 EX_IF="br0"
 
-# The name of the Private network interface.
-PRI_IF="br1"
-
 # The IP ranges from where to accept unfiltered connections.
-UNFILTERED_RANGES_V4=('91.109.244.7-91.109.244.11' '91.109.244.78-91.109.244.79' '91.109.244.239-91.109.244.243' '185.176.90.169')
-UNFILTERED_RANGES_V6=('2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
+UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
+UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
 
 
 start_firewall() {
@@ -35,14 +32,6 @@ start_firewall() {
   iptables -t mangle -X
   ip6tables -t mangle -X
 
-  # Allow all loopback traffic.
-  iptables -A INPUT -i lo -j ACCEPT
-  ip6tables -A INPUT -i lo -j ACCEPT
-
-  # Allow all Private network traffic.
-  iptables -A INPUT -i "$PRI_IF" -j ACCEPT
-  ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT
-
   # Drop invalid packets on all interfaces.
   iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
   ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
@@ -54,6 +43,10 @@ start_firewall() {
   iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
   iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
 
+  # Allow all loopback traffic.
+  iptables -A INPUT -i lo -j ACCEPT
+  ip6tables -A INPUT -i lo -j ACCEPT
+
   # Allow unrestricted access from our IPs.
   for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
     iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
@@ -83,9 +76,7 @@ start_firewall() {
   ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
   ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
 
-  # Always allow SSH.
-  # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
-  # set back to defaults.  Any connections to the standard port will just get a 'connection refused' message, unless this happens.
+  # Allow SSH.
   iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
   ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT