### -*-sh-*- ### ### Firewall configuration for jem ### ### (c) 2008 Mark Wooding ### ###----- Licensing notice --------------------------------------------------- ### ### This program is free software; you can redistribute it and/or modify ### it under the terms of the GNU General Public License as published by ### the Free Software Foundation; either version 2 of the License, or ### (at your option) any later version. ### ### This program is distributed in the hope that it will be useful, ### but WITHOUT ANY WARRANTY; without even the implied warranty of ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ### GNU General Public License for more details. ### ### You should have received a copy of the GNU General Public License ### along with this program; if not, write to the Free Software Foundation, ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- ### Config settings. ## This host isn't a router. setconf(forward, 0) ## This host is involved in a routing asymmetry. setconf(rp_filter, 0) setconf(log_martians, 0) ###-------------------------------------------------------------------------- ### Network interfaces. m4_divert(44)m4_dnl ## Interface definitions. if_dmz=eth0 if_trusted=eth1 if_safe=$if_dmz,$if_trusted if_untrusted=$if_dmz,$if_trusted if_vpn=$if_dmz,$if_trusted if_iodine=$if_dmz,$if_trusted if_its_mz=$if_dmz,$if_trusted if_its_pi=$if_dmz,$if_trusted m4_divert(-1) ###-------------------------------------------------------------------------- ### jem-specific rules. m4_divert(82)m4_dnl ## Set up the SAUCE sinbin. Unfortunately, ipset is a bit brittle. This ## isn't a completely critical part of the firewall security, so don't make ## this fail the entire script. errorchain sauce REJECT makeset sauce iphash || : iptables -A inbound -g sauce -m set --match-set sauce src || : ## Externally visible services. allowservices inbound tcp \ ssh \ ident \ smtp submission \ http https \ imaps ## Provide DNS resolution to local untrusted hosts. for p in tcp udp; do run iptables -A inbound -j ACCEPT \ -s 172.29.198.0/24 \ -p $p --destination-port $port_dns done m4_divert(-1) ###----- That's all, folks --------------------------------------------------