Not ready for human consumption, I'll remove this notice and resume work on this article when I get back from pizza - [LAW]

The devil has a name, and it is ucc-fw. This article aspires to be a reference manual for the UCC firewall. It does not aspire to be a reference manual for iptables, and readers are expected to familiarize themselves with the basics of iptables syntax before attempting to change the central firewall. TableOfContents

Not just a firewall

ucc-fw is located on madako in /etc/init.d/ and at time of writing weighs in at nearly 700 lines of arcane iptables commands and cryptic comments, and is responsible for keeping the baddies out. It is also responsible for keeping costs down by making sure the right data goes out the right link, NAT for the Silk link, and a lot of other things the reasons for which will become apparent as you become familiar with the way information flows in and out of the club.

As suggested by its location, ucc-fw is initialized at boot and can changes can be applied by simply running the script again.

Overview

The firewall script has several distinct parts. Let's look at them in turn:

Madako firewalling

First up is the incoming firewall for madako itself. This is fairly restrictive, only allowing SSH from everywhere (and even that has fail2ban in front of it). Other things are only allowed from UCC, UWA or occasionally FREENETs. PPTP connections and SSH are allowed from SNAP, but nothing else.

Main firewall

This section is about access control. There are two main chains, TOOUTSIDE and FROMOUTSIDE that most rules are added to, and there's two extra targets, FREENETSIN and FREENETSOUT that jump to a long list of free networks stored using ipset. Ports like CIFS, MSSQL are blocked, as is access to machines with vulnerable OSen (like IRIX). Hosts in $UNFIREWALLED can receive charged traffic and do their own firewalling. Next comes the magic Silk link stuff, see below. After this comes a long list of rules to open ports for particular hosts, in roughly ascending order by IP. Incoming ports are generally opened to FREENETSIN. Outgoing ports don't need to be unfirewalled to go to FREENETs or the Silk link, only if they need to go out to charged IPs, in which case see below as well.

Silk link

This is where the tentacles start emerging. The idea is to force traffic not going to FREENETs over the Silk link, while offering various services on both the Silk and byte-charged links.

Mark 1 is set on packets that should go out the bright link. Mark 2 is set on connections coming in over the Silk link, so they can be matched on the way out and sent back out the bright link. Mark 3 is set on connections coming in over AARNet destined for unfirewalled IPs that need to go back out over AARNet. This is set for all hosts in $UNFIREWALLED, and can be added to hosts outside this range. Mark 4 is set on port 80 connections from the clubroom, wireless and loft so they can be transproxied, which makes the Silk link suck a lot less for browsing.

Packets with Mark 1 pass through the TOOUTSIDE chain, as they'll be NATted and sent over the Silk link.

At this point you'll want to refer to the [http://pub1.zcjh.tpc.edu.tw:9100/computer/Lists/Discussion/Attachments/1/PacketFlow.png diagram showing the order packets go through the various tables]. The mangle PREROUTING table comes first, and it is basically a filter saying whether packets should get NATted or not - mark 1 will be, packets going to local subnets shouldn't be, and the mangle FREENETSOUT table is set up by toipset.sh (document) so that packets not to FREENETs get mark 1 applied.

NATting

Then the NAT occurs.

Letting things through

The most common firewall maintenance task you'll come across is also the easiest.

Common Tasks

Most changes to ucc-fw are relatively mundane: unblocking a port, forwarding a port, and unfirewalling a particular host (eg: for a colocated user machine).

Unfirewalling a host

This quick guide assumes the host you wish to unfirewall is on VLAN 3, as most colocated user machines will be. If it is on a different VLAN you should read the rest of this document before trying to adapt these instructions to your specific case. The two sections

Caveats

One trick is that it isn't just iptables that is doing the magic - the "ip" command is used for some of the source routing. ip rule list will show you some of that (fwmark etc), and ip route list table all or ip route list table bright are handy.