[firewall] / vampire.m4

### -*-m4-*-
###
### Firewall configuration for vampire
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Network interfaces.

m4_divert(44)m4_dnl
## Interface definitions.
if_untrusted=eth0.1
if_trusted=eth0.0
if_vpn=vpn-+
if_its_mz=eth0.0
if_its_pi=eth0.0

m4_divert(-1)
###--------------------------------------------------------------------------
### vampire-specific rules.

m4_divert(35)m4_dnl
errorchain ddos-evil-dns DROP
## Invalid DNS request with probably-forged sender address, with intent to
## cause DDOS.

m4_divert(82)m4_dnl
## Repelling evil DDos attack.
run ipset -N ddos-evil-dns iphash 2>/dev/null || :
run iptables -A inbound -g ddos-evil-dns \
	-m set --set ddos-evil-dns src \
	-p udp --destination-port $port_dns

## Externally visible services.
allowservices inbound tcp \
	finger ident \
	dns \
	ssh \
	smtp \
	gnutella_svc \
	ftp ftp_data \
	rsync \
	mpd \
	http https \
	git	
allowservices inbound tcp \
	tor_public tor_directory
allowservices inbound udp \
	dns \
	tripe \
	gnutella_svc

## Provide DNS resolution to local untrusted hosts.
for p in tcp udp; do
  run iptables -A inbound -j ACCEPT \
	  -s 172.29.198.0/24 \
	  -p $p --destination-port $port_dns
done

## Provide syslog for evolution.
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.2 \
	-p udp --destination-port $port_syslog

## Provide a web cache to local untrusted hosts.
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.0/24 \
	-p tcp --destination-port $port_squid

## Watch outgoing Tor usage.
run iptables -A OUTPUT -m multiport \
	-p tcp --source-ports $port_tor_public,$port_tor_directory

## Other interesting things.
dnsresolver inbound
ntpclient inbound 158.152.1.76 158.152.1.204 194.159.253.2

m4_divert(-1)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
bfdc045d MW	1	### --m4--
	2	###
	3	### Firewall configuration for vampire
	4	###
	5	### (c) 2008 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
	25	### Network interfaces.
	26
	27	m4_divert(44)m4_dnl
	28	## Interface definitions.
	29	if_untrusted=eth0.1
	30	if_trusted=eth0.0
	31	if_vpn=vpn-+
	32	if_its_mz=eth0.0
	33	if_its_pi=eth0.0
	34
	35	m4_divert(-1)
	36	###--------------------------------------------------------------------------
	37	### vampire-specific rules.
	38
2dc8f4af MW	39	m4_divert(35)m4_dnl
	40	errorchain ddos-evil-dns DROP
	41	## Invalid DNS request with probably-forged sender address, with intent to
	42	## cause DDOS.
	43
bfdc045d	44	m4_divert(82)m4_dnl
83610d8a MW	45	## Repelling evil DDos attack.
83610d8a MW	46	run ipset -N ddos-evil-dns iphash 2>/dev/null \|\| :
2dc8f4af	47	run iptables -A inbound -g ddos-evil-dns \
83610d8a MW	48	-m set --set ddos-evil-dns src \
	49	-p udp --destination-port $port_dns
	50
bfdc045d MW	51	## Externally visible services.
	52	allowservices inbound tcp \
	53	finger ident \
	54	dns \
	55	ssh \
	56	smtp \
	57	gnutella_svc \
	58	ftp ftp_data \
	59	rsync \
04182f26	60	mpd \
bfdc045d MW	61	http https \
bfdc045d MW	62	git
78c56de1 MW	63	allowservices inbound tcp \
78c56de1 MW	64	tor_public tor_directory
bfdc045d MW	65	allowservices inbound udp \
	66	dns \
	67	tripe \
	68	gnutella_svc
	69
	70	## Provide DNS resolution to local untrusted hosts.
	71	for p in tcp udp; do
	72	run iptables -A inbound -j ACCEPT \
	73	-s 172.29.198.0/24 \
	74	-p $p --destination-port $port_dns
	75	done
	76
	77	## Provide syslog for evolution.
	78	run iptables -A inbound -j ACCEPT \
	79	-s 172.29.198.2 \
	80	-p udp --destination-port $port_syslog
	81
	82	## Provide a web cache to local untrusted hosts.
	83	run iptables -A inbound -j ACCEPT \
	84	-s 172.29.198.0/24 \
	85	-p tcp --destination-port $port_squid
	86
d6dd88f5 MW	87	## Watch outgoing Tor usage.
	88	run iptables -A OUTPUT -m multiport \
	89	-p tcp --source-ports $port_tor_public,$port_tor_directory
	90
bfdc045d MW	91	## Other interesting things.
	92	dnsresolver inbound
	93	ntpclient inbound 158.152.1.76 158.152.1.204 194.159.253.2
	94
	95	m4_divert(-1)
	96	###----- That's all, folks --------------------------------------------------