### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
-### Config settings.
-
-## This router is involved in a routing asymmetry.
-setconf(rp_filter, 0)
-setconf(log_martians, 0)
-
-###--------------------------------------------------------------------------
-### Network interfaces.
-
-m4_divert(44)m4_dnl
-## Interface definitions.
-if_dmz=eth0
-if_trusted=eth1
-if_safe=eth2
-if_untrusted=eth3
-if_vpn=$if_dmz,$if_trusted
-if_iodine=$if_dmz,$if_trusted
-if_its_mz=$if_dmz,$if_trusted
-if_its_pi=$if_dmz,$if_trusted
-
-m4_divert(-1)
-###--------------------------------------------------------------------------
### radius-specific rules.
-m4_divert(82)m4_dnl
+m4_divert(86)m4_dnl
## Externally visible services.
allowservices inbound tcp \
- dns iodine \
+ ident \
ssh
allowservices inbound udp \
- dns iodine \
tripe
-## Provide DNS resolution to local untrusted hosts.
-for p in tcp udp; do
- run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p $p --destination-port $port_dns
-done
-
## Provide syslog for evolution.
run iptables -A inbound -j ACCEPT \
-s 172.29.198.2 \
## Other interesting things.
dnsresolver inbound
+dnsserver inbound
+
+## IPv6 6-in-4 tunnel.
+run iptables -A inbound -j ACCEPT \
+ -p $proto_ipv6 -s 216.66.80.26
+
+## Permitted special forwarding.
+makeset fwd-allow-http nethash || :
+iptables -A fwd-spec-nofrag -j ACCEPT \
+ -m set --match-set fwd-allow-http dst \
+ -p tcp --destination-port $port_http \
+ -m mark --mark $to_untrusted/$MASK_TO
+iptables -A fwd-spec-nofrag -j ACCEPT \
+ -m set --match-set fwd-allow-http src \
+ -p tcp --destination-port $port_http \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+
+## BCP38 filtering. Note that addresses here are seen before NAT is applied.
+bcp38 4 ppp0 81.2.113.195 81.187.238.128/28 172.29.198.0/23
+bcp38 6 ppp0 2001:8b0:c92::/48
+
+## NAT for RFC1918 addresses.
+for i in PREROUTING OUTPUT POSTROUTING; do
+ run iptables -t nat -P $i ACCEPT 2>/dev/null || :
+ run iptables -t nat -F $i 2>/dev/null || :
+done
+run iptables -t nat -F
+run iptables -t nat -X
+
+run iptables -t nat -N outbound
+run iptables -t nat -A outbound -j RETURN ! -o ppp0
+run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
+run iptables -t nat -A outbound -j RETURN -d 81.187.238.128/28
+run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
+
+## An awful hack.
+##run iptables -t nat -A outbound -j DNETMAP --reuse \
+## -s 172.29.199.44 --prefix 81.187.238.142
+##run iptables -t nat -A outbound -j DNETMAP --reuse \
+## -s 172.29.198.34 --prefix 81.187.238.142
+##run iptables -t nat -A outbound -j DNETMAP --reuse \
+## -s 172.29.198.11 --prefix 81.187.238.142
+##run iptables -t nat -A PREROUTING -j DNETMAP
+
+run iptables -t nat -A outbound -j SNAT --to-source 81.187.238.142
+run iptables -t nat -A POSTROUTING -j outbound
+
+## Set up NAT protocol helpers. In particular, SIP needs some special
+## twiddling.
+run modprobe nf_conntrack_sip \
+ ports=5060 \
+ sip_direct_signalling=0 \
+ sip_direct_media=0
+for p in ftp sip h323; do
+ run modprobe nf_nat_$p
+done
+
+## Forbid anything complicated to the NAT address. Be sure to allow ident,
+## though.
+run iptables -A INPUT -d 81.187.238.142 -p tcp -j ACCEPT \
+ -m multiport --destination-ports=113
+run iptables -A INPUT -d 81.187.238.142 ! -p icmp -j REJECT
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
~mdw / firewall / blobdiff