3 ### Firewall configuration for radius
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### radius-specific rules.
28 ## Externally visible services.
29 allowservices inbound tcp \
32 allowservices inbound udp \
35 ## Provide syslog for evolution.
36 run iptables -A inbound -j ACCEPT \
38 -p udp --destination-port $port_syslog
40 ## Other interesting things.
44 ## IPv6 6-in-4 tunnel.
45 run iptables -A inbound -j ACCEPT \
46 -p $proto_ipv6 -s 216.66.80.26
48 ## Permitted special forwarding.
49 makeset fwd-allow-http nethash || :
50 iptables -A fwd-spec-nofrag -j ACCEPT \
51 -m set --match-set fwd-allow-http dst \
52 -p tcp --destination-port $port_http \
53 -m mark --mark $to_untrusted/$MASK_TO
54 iptables -A fwd-spec-nofrag -j ACCEPT \
55 -m set --match-set fwd-allow-http src \
56 -p tcp --destination-port $port_http \
57 -m mark --mark $from_untrusted/$MASK_FROM \
58 -m state --state ESTABLISHED
60 ## BCP38 filtering. Note that addresses here are seen before NAT is applied.
61 bcp38 4 ppp0 81.2.113.195 81.187.238.128/28 172.29.198.0/23
62 bcp38 6 ppp0 2001:8b0:c92::/48
64 ## NAT for RFC1918 addresses.
65 for i in PREROUTING OUTPUT POSTROUTING; do
66 run iptables -t nat -P $i ACCEPT 2>/dev/null || :
67 run iptables -t nat -F $i 2>/dev/null || :
69 run iptables -t nat -F
70 run iptables -t nat -X
72 run iptables -t nat -N outbound
73 run iptables -t nat -A outbound -j RETURN ! -o ppp0
74 run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
75 run iptables -t nat -A outbound -j RETURN -d 81.187.238.128/28
76 run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
79 ##run iptables -t nat -A outbound -j DNETMAP --reuse \
80 ## -s 172.29.199.44 --prefix 81.187.238.142
81 ##run iptables -t nat -A outbound -j DNETMAP --reuse \
82 ## -s 172.29.198.34 --prefix 81.187.238.142
83 ##run iptables -t nat -A outbound -j DNETMAP --reuse \
84 ## -s 172.29.198.11 --prefix 81.187.238.142
85 ##run iptables -t nat -A PREROUTING -j DNETMAP
87 run iptables -t nat -A outbound -j SNAT --to-source 81.187.238.142
88 run iptables -t nat -A POSTROUTING -j outbound
90 ## Set up NAT protocol helpers. In particular, SIP needs some special
92 run modprobe nf_conntrack_sip \
94 sip_direct_signalling=0 \
96 for p in ftp sip h323; do
97 run modprobe nf_nat_$p
100 ## Forbid anything complicated to the NAT address. Be sure to allow ident,
102 run iptables -A INPUT -d 81.187.238.142 -p tcp -j ACCEPT \
103 -m multiport --destination-ports=113
104 run iptables -A INPUT -d 81.187.238.142 ! -p icmp -j REJECT
107 ###----- That's all, folks --------------------------------------------------