[firewall] / radius.m4

### -*-sh-*-
###
### Firewall configuration for radius
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### radius-specific rules.

m4_divert(86)m4_dnl
## Externally visible services.
allowservices inbound tcp \
	ident \
	ssh
allowservices inbound udp \
	tripe

## Provide syslog for evolution.
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.2 \
	-p udp --destination-port $port_syslog

## Other interesting things.
dnsresolver inbound
dnsserver inbound

## IPv6 6-in-4 tunnel.
run iptables -A inbound -j ACCEPT \
	-p $proto_ipv6 -s 216.66.80.26

## Permitted special forwarding.
makeset fwd-allow-http nethash || :
iptables -A fwd-spec-nofrag -j ACCEPT \
	-m set --match-set fwd-allow-http dst \
	-p tcp --destination-port $port_http \
	-m mark --mark $to_untrusted/$MASK_TO
iptables -A fwd-spec-nofrag -j ACCEPT \
	-m set --match-set fwd-allow-http src \
	-p tcp --destination-port $port_http \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED

## NAT for RFC1918 addresses.
for i in PREROUTING OUTPUT POSTROUTING; do
  run iptables -t nat -P $i ACCEPT 2>/dev/null || :
  run iptables -t nat -F $i 2>/dev/null || :
done
run iptables -t nat -F
run iptables -t nat -X

run iptables -t nat -N outbound
run iptables -t nat -A outbound -j RETURN ! -o ppp0
run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
run iptables -t nat -A POSTROUTING -j outbound

## TCP MSS clamping to help given Demon's sluggish approach to fragmentation-
## needed errors.
run ip46tables -t mangle -A FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN \
	-j TCPMSS --clamp-mss-to-pmtu

## Set up NAT protocol helpers.  In particular, SIP needs some special
## twiddling.
run modprobe nf_conntrack_sip \
  ports=5060 \
  sip_direct_signalling=0 \
  sip_direct_media=0
for p in ftp sip h323; do
  run modprobe nf_nat_$p
done

## Forbid anything complicated to the NAT address.  Be sure to allow ident,
## though.
run iptables -A INPUT -d 62.49.204.158 -p tcp -j ACCEPT \
	-m multiport --destination-ports=113
run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT

m4_divert(-1)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
775bd287	1	### --sh--
bfdc045d	2	###
a3972fea	3	### Firewall configuration for radius
bfdc045d MW	4	###
	5	### (c) 2008 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
a3972fea	25	### radius-specific rules.
bfdc045d	26
1a42af95	27	m4_divert(86)m4_dnl
bfdc045d MW	28	## Externally visible services.
bfdc045d MW	29	allowservices inbound tcp \
6f74cc82	30	ident \
a3972fea	31	ssh
bfdc045d	32	allowservices inbound udp \
a3972fea	33	tripe
bfdc045d	34
a3972fea MW	35	## Provide syslog for evolution.
	36	run iptables -A inbound -j ACCEPT \
	37	-s 172.29.198.2 \
	38	-p udp --destination-port $port_syslog
	39
bfdc045d MW	40	## Other interesting things.
bfdc045d MW	41	dnsresolver inbound
7dde20fa	42	dnsserver inbound
bfdc045d	43
b44f4404 MW	44	## IPv6 6-in-4 tunnel.
	45	run iptables -A inbound -j ACCEPT \
	46	-p $proto_ipv6 -s 216.66.80.26
	47
a83c9611 MW	48	## Permitted special forwarding.
	49	makeset fwd-allow-http nethash \|\| :
	50	iptables -A fwd-spec-nofrag -j ACCEPT \
	51	-m set --match-set fwd-allow-http dst \
	52	-p tcp --destination-port $port_http \
	53	-m mark --mark $to_untrusted/$MASK_TO
	54	iptables -A fwd-spec-nofrag -j ACCEPT \
	55	-m set --match-set fwd-allow-http src \
	56	-p tcp --destination-port $port_http \
	57	-m mark --mark $from_untrusted/$MASK_FROM \
	58	-m state --state ESTABLISHED
	59
27ca7c0e MW	60	## NAT for RFC1918 addresses.
	61	for i in PREROUTING OUTPUT POSTROUTING; do
	62	run iptables -t nat -P $i ACCEPT 2>/dev/null \|\| :
	63	run iptables -t nat -F $i 2>/dev/null \|\| :
	64	done
	65	run iptables -t nat -F
	66	run iptables -t nat -X
	67
	68	run iptables -t nat -N outbound
8506ff83	69	run iptables -t nat -A outbound -j RETURN ! -o ppp0
27ca7c0e MW	70	run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
	71	run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
	72	run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
	73	run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
	74	run iptables -t nat -A POSTROUTING -j outbound
	75
8506ff83 MW	76	## TCP MSS clamping to help given Demon's sluggish approach to fragmentation-
	77	## needed errors.
	78	run ip46tables -t mangle -A FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN \
	79	-j TCPMSS --clamp-mss-to-pmtu
	80
f6561602 MW	81	## Set up NAT protocol helpers. In particular, SIP needs some special
	82	## twiddling.
	83	run modprobe nf_conntrack_sip \
	84	ports=5060 \
	85	sip_direct_signalling=0 \
	86	sip_direct_media=0
	87	for p in ftp sip h323; do
	88	run modprobe nf_nat_$p
	89	done
	90
a92589b8 MW	91	## Forbid anything complicated to the NAT address. Be sure to allow ident,
	92	## though.
	93	run iptables -A INPUT -d 62.49.204.158 -p tcp -j ACCEPT \
	94	-m multiport --destination-ports=113
dad38065 MW	95	run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT
dad38065 MW	96
bfdc045d MW	97	m4_divert(-1)
bfdc045d MW	98	###----- That's all, folks --------------------------------------------------