[firewall] / vampire.m4

### -*-m4-*-
###
### Firewall configuration for vampire
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Network interfaces.

m4_divert(44)m4_dnl
## Interface definitions.
if_untrusted=eth0.1
if_trusted=eth0.0
if_vpn=vpn-+
if_its_mz=eth0.0
if_its_pi=eth0.0

m4_divert(-1)
###--------------------------------------------------------------------------
### vampire-specific rules.

m4_divert(82)m4_dnl
## Repelling evil DDos attack.
run ipset -N ddos-evil-dns iphash 2>/dev/null || :
run iptables -A inbound -j DROP \
	-m set --set ddos-evil-dns src \
	-p udp --destination-port $port_dns

## Externally visible services.
allowservices inbound tcp \
	finger ident \
	dns \
	ssh \
	smtp \
	gnutella_svc \
	ftp ftp_data \
	rsync \
	http https \
	git	
allowservices inbound tcp \
	tor_public tor_directory
allowservices inbound udp \
	dns \
	tripe \
	gnutella_svc

## Provide DNS resolution to local untrusted hosts.
for p in tcp udp; do
  run iptables -A inbound -j ACCEPT \
	  -s 172.29.198.0/24 \
	  -p $p --destination-port $port_dns
done

## Provide syslog for evolution.
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.2 \
	-p udp --destination-port $port_syslog

## Provide a web cache to local untrusted hosts.
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.0/24 \
	-p tcp --destination-port $port_squid

## Watch outgoing Tor usage.
run iptables -A OUTPUT -m multiport \
	-p tcp --source-ports $port_tor_public,$port_tor_directory

## Other interesting things.
dnsresolver inbound
ntpclient inbound 158.152.1.76 158.152.1.204 194.159.253.2

m4_divert(-1)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
bfdc045d MW	1	### --m4--
	2	###
	3	### Firewall configuration for vampire
	4	###
	5	### (c) 2008 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
	25	### Network interfaces.
	26
	27	m4_divert(44)m4_dnl
	28	## Interface definitions.
	29	if_untrusted=eth0.1
	30	if_trusted=eth0.0
	31	if_vpn=vpn-+
	32	if_its_mz=eth0.0
	33	if_its_pi=eth0.0
	34
	35	m4_divert(-1)
	36	###--------------------------------------------------------------------------
	37	### vampire-specific rules.
	38
	39	m4_divert(82)m4_dnl
83610d8a MW	40	## Repelling evil DDos attack.
	41	run ipset -N ddos-evil-dns iphash 2>/dev/null \|\| :
	42	run iptables -A inbound -j DROP \
	43	-m set --set ddos-evil-dns src \
	44	-p udp --destination-port $port_dns
	45
bfdc045d MW	46	## Externally visible services.
	47	allowservices inbound tcp \
	48	finger ident \
	49	dns \
	50	ssh \
	51	smtp \
	52	gnutella_svc \
	53	ftp ftp_data \
	54	rsync \
	55	http https \
	56	git
78c56de1 MW	57	allowservices inbound tcp \
78c56de1 MW	58	tor_public tor_directory
bfdc045d MW	59	allowservices inbound udp \
	60	dns \
	61	tripe \
	62	gnutella_svc
	63
	64	## Provide DNS resolution to local untrusted hosts.
	65	for p in tcp udp; do
	66	run iptables -A inbound -j ACCEPT \
	67	-s 172.29.198.0/24 \
	68	-p $p --destination-port $port_dns
	69	done
	70
	71	## Provide syslog for evolution.
	72	run iptables -A inbound -j ACCEPT \
	73	-s 172.29.198.2 \
	74	-p udp --destination-port $port_syslog
	75
	76	## Provide a web cache to local untrusted hosts.
	77	run iptables -A inbound -j ACCEPT \
	78	-s 172.29.198.0/24 \
	79	-p tcp --destination-port $port_squid
	80
d6dd88f5 MW	81	## Watch outgoing Tor usage.
	82	run iptables -A OUTPUT -m multiport \
	83	-p tcp --source-ports $port_tor_public,$port_tor_directory
	84
bfdc045d MW	85	## Other interesting things.
	86	dnsresolver inbound
	87	ntpclient inbound 158.152.1.76 158.152.1.204 194.159.253.2
	88
	89	m4_divert(-1)
	90	###----- That's all, folks --------------------------------------------------