local.m4: Fix whitespace oddity.

[firewall] / radius.m4

### -*-sh-*-
###
### Firewall configuration for radius
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### radius-specific rules.

m4_divert(86)m4_dnl
## Externally visible services.
allowservices inbound tcp \
        ident \
        ssh
allowservices inbound udp \
        tripe

## Provide syslog for evolution.
run iptables -A inbound -j ACCEPT \
        -s 172.29.198.2 \
        -p udp --destination-port $port_syslog

## Other interesting things.
dnsresolver inbound
dnsserver inbound

## IPv6 6-in-4 tunnel.
run iptables -A inbound -j ACCEPT \
        -p $proto_ipv6 -s 216.66.80.26

## Permitted special forwarding.
makeset fwd-allow-http nethash || :
iptables -A fwd-spec-nofrag -j ACCEPT \
        -m set --match-set fwd-allow-http dst \
        -p tcp --destination-port $port_http \
        -m mark --mark $to_untrusted/$MASK_TO
iptables -A fwd-spec-nofrag -j ACCEPT \
        -m set --match-set fwd-allow-http src \
        -p tcp --destination-port $port_http \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED

## BCP38 filtering.  Note that addresses here are seen before NAT is applied.
bcp38 4 ppp0 62.49.204.144/28 172.29.198.0/23
bcp38 6 t6-he \
        2001:470:1f08:1b98::2 2001:470:1f09:1b98::/64 \
        2001:470:9740::/48

## NAT for RFC1918 addresses.
for i in PREROUTING OUTPUT POSTROUTING; do
  run iptables -t nat -P $i ACCEPT 2>/dev/null || :
  run iptables -t nat -F $i 2>/dev/null || :
done
run iptables -t nat -F
run iptables -t nat -X

run iptables -t nat -N outbound
run iptables -t nat -A outbound -j RETURN ! -o ppp0
run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23

## An awful hack.
##run iptables -t nat -A outbound -j DNETMAP --reuse \
##      -s 172.29.199.44 --prefix 62.49.204.157
##run iptables -t nat -A outbound -j DNETMAP --reuse \
##      -s 172.29.198.34 --prefix 62.49.204.157
##run iptables -t nat -A outbound -j DNETMAP --reuse \
##      -s 172.29.198.11 --prefix 62.49.204.157
##run iptables -t nat -A PREROUTING -j DNETMAP

run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
run iptables -t nat -A POSTROUTING -j outbound

## Set up NAT protocol helpers.  In particular, SIP needs some special
## twiddling.
run modprobe nf_conntrack_sip \
  ports=5060 \
  sip_direct_signalling=0 \
  sip_direct_media=0
for p in ftp sip h323; do
  run modprobe nf_nat_$p
done

## Forbid anything complicated to the NAT address.  Be sure to allow ident,
## though.
run iptables -A INPUT -d 62.49.204.158 -p tcp -j ACCEPT \
        -m multiport --destination-ports=113
run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT

m4_divert(-1)
###----- That's all, folks --------------------------------------------------