### -*-sh-*- ### ### Firewall configuration for radius ### ### (c) 2008 Mark Wooding ### ###----- Licensing notice --------------------------------------------------- ### ### This program is free software; you can redistribute it and/or modify ### it under the terms of the GNU General Public License as published by ### the Free Software Foundation; either version 2 of the License, or ### (at your option) any later version. ### ### This program is distributed in the hope that it will be useful, ### but WITHOUT ANY WARRANTY; without even the implied warranty of ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ### GNU General Public License for more details. ### ### You should have received a copy of the GNU General Public License ### along with this program; if not, write to the Free Software Foundation, ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- ### radius-specific rules. m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ ident \ ssh allowservices inbound udp \ tripe ## Provide syslog for evolution. run iptables -A inbound -j ACCEPT \ -s 172.29.198.2 \ -p udp --destination-port $port_syslog ## Other interesting things. dnsresolver inbound dnsserver inbound ## IPv6 6-in-4 tunnel. run iptables -A inbound -j ACCEPT \ -p $proto_ipv6 -s 216.66.80.26 ## Permitted special forwarding. makeset fwd-allow-http nethash || : iptables -A fwd-spec-nofrag -j ACCEPT \ -m set --match-set fwd-allow-http dst \ -p tcp --destination-port $port_http \ -m mark --mark $to_untrusted/$MASK_TO iptables -A fwd-spec-nofrag -j ACCEPT \ -m set --match-set fwd-allow-http src \ -p tcp --destination-port $port_http \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED ## BCP38 filtering. Note that addresses here are seen before NAT is applied. bcp38 4 ppp0 62.49.204.144/28 172.29.198.0/23 bcp38 6 t6-he \ 2001:470:1f08:1b98::2 2001:470:1f09:1b98::/64 \ 2001:470:9740::/48 ## NAT for RFC1918 addresses. for i in PREROUTING OUTPUT POSTROUTING; do run iptables -t nat -P $i ACCEPT 2>/dev/null || : run iptables -t nat -F $i 2>/dev/null || : done run iptables -t nat -F run iptables -t nat -X run iptables -t nat -N outbound run iptables -t nat -A outbound -j RETURN ! -o ppp0 run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28 run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 ## An awful hack. ##run iptables -t nat -A outbound -j DNETMAP --reuse \ ## -s 172.29.199.44 --prefix 62.49.204.157 ##run iptables -t nat -A outbound -j DNETMAP --reuse \ ## -s 172.29.198.34 --prefix 62.49.204.157 ##run iptables -t nat -A outbound -j DNETMAP --reuse \ ## -s 172.29.198.11 --prefix 62.49.204.157 ##run iptables -t nat -A PREROUTING -j DNETMAP run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 run iptables -t nat -A POSTROUTING -j outbound ## Set up NAT protocol helpers. In particular, SIP needs some special ## twiddling. run modprobe nf_conntrack_sip \ ports=5060 \ sip_direct_signalling=0 \ sip_direct_media=0 for p in ftp sip h323; do run modprobe nf_nat_$p done ## Forbid anything complicated to the NAT address. Be sure to allow ident, ## though. run iptables -A INPUT -d 62.49.204.158 -p tcp -j ACCEPT \ -m multiport --destination-ports=113 run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT m4_divert(-1) ###----- That's all, folks --------------------------------------------------