mdw@git.distorted.org.uk Git - firewall/blob - vampire.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Firewall configuration for vampire
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### vampire-specific rules.
  26
  27 m4_divert(86)m4_dnl
  28 ## Externally visible services.
  29 allowservices inbound tcp \
  30         finger ident \
  31         dns iodine \
  32         ssh \
  33         smtp submission \
  34         rdesktop \
  35         gnutella_svc \
  36         ftp ftp_data \
  37         rsync \
  38         imaps \
  39         disorder mpd \
  40         http https squid \
  41         git \
  42         tor_public tor_directory i2p
  43 allowservices inbound udp \
  44         dns iodine \
  45         tripe \
  46         gnutella_svc \
  47         i2p
  48
  49 ## Extend some services to local untrusted hosts.
  50 clearchain inbound-untrusted
  51 run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted
  52 run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted
  53
  54 allowservices inbound-untrusted tcp \
  55         dns \
  56         netbios_ssn microsoft_ds
  57 allowservices inbound-untrusted udp \
  58         dns \
  59         tftp
  60
  61 ## Provide syslog for evolution.
  62 run iptables -A inbound -j ACCEPT \
  63         -s 172.29.198.2 \
  64         -p udp --destination-port $port_syslog
  65
  66 ## Watch outgoing Tor usage.
  67 run iptables -A OUTPUT -m multiport \
  68         -p tcp --source-ports $port_tor_public,$port_tor_directory
  69
  70 ## Other interesting things.
  71 dnsresolver inbound
  72 ntpclient inbound $ntp_servers
  73
  74 ## IPv6 6-in-4 tunnel.
  75 run iptables -A inbound -j ACCEPT \
  76           -p $proto_ipv6 -s 216.66.80.26
  77
  78 ## NAT for RFC1918 addresses.
  79 for i in PREROUTING OUTPUT POSTROUTING; do
  80   run iptables -t nat -P $i ACCEPT 2>/dev/null || :
  81   run iptables -t nat -F $i 2>/dev/null || :
  82 done
  83 run iptables -t nat -F
  84 run iptables -t nat -X
  85
  86 run iptables -t nat -N outbound
  87 run iptables -t nat -A outbound -j RETURN ! -o eth0.0
  88 run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
  89 run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
  90 run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
  91 run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
  92 run iptables -t nat -A POSTROUTING -j outbound
  93
  94 ## Set up NAT protocol helpers.  In particular, SIP needs some special
  95 ## twiddling.
  96 run modprobe nf_conntrack_sip \
  97   ports=5060 \
  98   sip_direct_signalling=0 \
  99   sip_direct_media=0
 100 for p in ftp sip h323; do
 101   run modprobe nf_nat_$p
 102 done
 103
 104 ## Forbid anything complicated to the NAT address.
 105 run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT
 106
 107 m4_divert(-1)
 108 ###----- That's all, folks --------------------------------------------------