mdw@git.distorted.org.uk Git - firewall/blob - vampire.m4

   1 ### -*-m4-*-
   2 ###
   3 ### Firewall configuration for vampire
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Network interfaces.
  26
  27 m4_divert(44)m4_dnl
  28 ## Interface definitions.
  29 if_untrusted=eth0.1
  30 if_trusted=eth0.0
  31 if_vpn=vpn-+
  32 if_its_mz=eth0.0
  33 if_its_pi=eth0.0
  34
  35 m4_divert(-1)
  36 ###--------------------------------------------------------------------------
  37 ### vampire-specific rules.
  38
  39 m4_divert(82)m4_dnl
  40 ## Repelling evil DDos attack.
  41 run ipset -N ddos-evil-dns iphash 2>/dev/null || :
  42 run iptables -A inbound -j DROP \
  43         -m set --set ddos-evil-dns src \
  44         -p udp --destination-port $port_dns
  45
  46 ## Externally visible services.
  47 allowservices inbound tcp \
  48         finger ident \
  49         dns \
  50         ssh \
  51         smtp \
  52         gnutella_svc \
  53         ftp ftp_data \
  54         rsync \
  55         http https \
  56         git
  57 allowservices inbound tcp \
  58         tor_public tor_directory
  59 allowservices inbound udp \
  60         dns \
  61         tripe \
  62         gnutella_svc
  63
  64 ## Provide DNS resolution to local untrusted hosts.
  65 for p in tcp udp; do
  66   run iptables -A inbound -j ACCEPT \
  67           -s 172.29.198.0/24 \
  68           -p $p --destination-port $port_dns
  69 done
  70
  71 ## Provide syslog for evolution.
  72 run iptables -A inbound -j ACCEPT \
  73         -s 172.29.198.2 \
  74         -p udp --destination-port $port_syslog
  75
  76 ## Provide a web cache to local untrusted hosts.
  77 run iptables -A inbound -j ACCEPT \
  78         -s 172.29.198.0/24 \
  79         -p tcp --destination-port $port_squid
  80
  81 ## Watch outgoing Tor usage.
  82 run iptables -A OUTPUT -m multiport \
  83         -p tcp --source-ports $port_tor_public,$port_tor_directory
  84
  85 ## Other interesting things.
  86 dnsresolver inbound
  87 ntpclient inbound 158.152.1.76 158.152.1.204 194.159.253.2
  88
  89 m4_divert(-1)
  90 ###----- That's all, folks --------------------------------------------------