mdw@git.distorted.org.uk Git - firewall/blame_incremental

... / ...

Commit	Line	Data
	1	### --sh--
	2	###
	3	### Firewall configuration for radius
	4	###
	5	### (c) 2008 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
	25	### radius-specific rules.
	26
	27	m4_divert(86)m4_dnl
	28	## Externally visible services.
	29	allowservices inbound tcp \
	30	ident \
	31	ssh
	32	allowservices inbound udp \
	33	tripe
	34
	35	## Provide syslog for evolution.
	36	run iptables -A inbound -j ACCEPT \
	37	-s 172.29.198.2 \
	38	-p udp --destination-port $port_syslog
	39
	40	## Other interesting things.
	41	dnsresolver inbound
	42	dnsserver inbound
	43
	44	## IPv6 6-in-4 tunnel.
	45	run iptables -A inbound -j ACCEPT \
	46	-p $proto_ipv6 -s 216.66.80.26
	47
	48	## Permitted special forwarding.
	49	makeset fwd-allow-http nethash \|\| :
	50	iptables -A fwd-spec-nofrag -j ACCEPT \
	51	-m set --match-set fwd-allow-http dst \
	52	-p tcp --destination-port $port_http \
	53	-m mark --mark $to_untrusted/$MASK_TO
	54	iptables -A fwd-spec-nofrag -j ACCEPT \
	55	-m set --match-set fwd-allow-http src \
	56	-p tcp --destination-port $port_http \
	57	-m mark --mark $from_untrusted/$MASK_FROM \
	58	-m state --state ESTABLISHED
	59
	60	## BCP38 filtering. Note that addresses here are seen before NAT is applied.
	61	bcp38 4 ppp0 81.2.113.195 81.187.238.128/28 172.29.198.0/23
	62	bcp38 6 ppp0 2001:8b0:c92::/48
	63
	64	## NAT for RFC1918 addresses.
	65	for i in PREROUTING OUTPUT POSTROUTING; do
	66	run iptables -t nat -P $i ACCEPT 2>/dev/null \|\| :
	67	run iptables -t nat -F $i 2>/dev/null \|\| :
	68	done
	69	run iptables -t nat -F
	70	run iptables -t nat -X
	71
	72	run iptables -t nat -N outbound
	73	run iptables -t nat -A outbound -j RETURN ! -o ppp0
	74	run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
	75	run iptables -t nat -A outbound -j RETURN -d 81.187.238.128/28
	76	run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
	77
	78	## An awful hack.
	79	##run iptables -t nat -A outbound -j DNETMAP --reuse \
	80	## -s 172.29.199.44 --prefix 81.187.238.142
	81	##run iptables -t nat -A outbound -j DNETMAP --reuse \
	82	## -s 172.29.198.34 --prefix 81.187.238.142
	83	##run iptables -t nat -A outbound -j DNETMAP --reuse \
	84	## -s 172.29.198.11 --prefix 81.187.238.142
	85	##run iptables -t nat -A PREROUTING -j DNETMAP
	86
	87	run iptables -t nat -A outbound -j SNAT --to-source 81.187.238.142
	88	run iptables -t nat -A POSTROUTING -j outbound
	89
	90	## Set up NAT protocol helpers. In particular, SIP needs some special
	91	## twiddling.
	92	run modprobe nf_conntrack_sip \
	93	ports=5060 \
	94	sip_direct_signalling=0 \
	95	sip_direct_media=0
	96	for p in ftp sip h323; do
	97	run modprobe nf_nat_$p
	98	done
	99
	100	## Forbid anything complicated to the NAT address. Be sure to allow ident,
	101	## though.
	102	run iptables -A INPUT -d 81.187.238.142 -p tcp -j ACCEPT \
	103	-m multiport --destination-ports=113
	104	run iptables -A INPUT -d 81.187.238.142 ! -p icmp -j REJECT
	105
	106	m4_divert(-1)
	107	###----- That's all, folks --------------------------------------------------