mdw@git.distorted.org.uk Git - firewall/blob - radius.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Firewall configuration for radius
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### radius-specific rules.
  26
  27 m4_divert(86)m4_dnl
  28 ## Externally visible services.
  29 allowservices inbound tcp \
  30         ident \
  31         dns iodine \
  32         ssh
  33 allowservices inbound udp \
  34         dns iodine \
  35         tripe
  36
  37 ## Provide DNS resolution to local untrusted hosts.
  38 for p in tcp udp; do
  39   run iptables -A inbound -j ACCEPT \
  40           -s 172.29.198.0/24 \
  41           -p $p --destination-port $port_dns
  42 done
  43
  44 ## Provide syslog for evolution.
  45 run iptables -A inbound -j ACCEPT \
  46         -s 172.29.198.2 \
  47         -p udp --destination-port $port_syslog
  48
  49 ## Other interesting things.
  50 dnsresolver inbound
  51
  52 ## IPv6 6-in-4 tunnel.
  53 run iptables -A inbound -j ACCEPT \
  54         -p $proto_ipv6 -s 216.66.80.26
  55
  56 ## Permitted special forwarding.
  57 makeset fwd-allow-http nethash || :
  58 iptables -A fwd-spec-nofrag -j ACCEPT \
  59         -m set --match-set fwd-allow-http dst \
  60         -p tcp --destination-port $port_http \
  61         -m mark --mark $to_untrusted/$MASK_TO
  62 iptables -A fwd-spec-nofrag -j ACCEPT \
  63         -m set --match-set fwd-allow-http src \
  64         -p tcp --destination-port $port_http \
  65         -m mark --mark $from_untrusted/$MASK_FROM \
  66         -m state --state ESTABLISHED
  67
  68 ## NAT for RFC1918 addresses.
  69 for i in PREROUTING OUTPUT POSTROUTING; do
  70   run iptables -t nat -P $i ACCEPT 2>/dev/null || :
  71   run iptables -t nat -F $i 2>/dev/null || :
  72 done
  73 run iptables -t nat -F
  74 run iptables -t nat -X
  75
  76 run iptables -t nat -N outbound
  77 run iptables -t nat -A outbound -j RETURN ! -o eth0
  78 run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
  79 run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
  80 run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
  81 run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
  82 run iptables -t nat -A POSTROUTING -j outbound
  83
  84 ## Set up NAT protocol helpers.  In particular, SIP needs some special
  85 ## twiddling.
  86 run modprobe nf_conntrack_sip \
  87   ports=5060 \
  88   sip_direct_signalling=0 \
  89   sip_direct_media=0
  90 for p in ftp sip h323; do
  91   run modprobe nf_nat_$p
  92 done
  93
  94 ## Forbid anything complicated to the NAT address.
  95 run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT
  96
  97 m4_divert(-1)
  98 ###----- That's all, folks --------------------------------------------------