## Ensure that the named chains exist and are empty.
clearchain () {
set -e
- for chain; do
- case $chain in
- *:*) table=${chain%:*} chain=${chain#*:} ;;
+ for _chain; do
+ case $_chain in
+ *:*) table=${_chain%:*} _chain=${_chain#*:} ;;
*) table=filter ;;
esac
- run ip46tables -t $table -N $chain 2>/dev/null || :
+ run ip46tables -t $table -N $_chain 2>/dev/null || :
done
}
for ver in ipv4 ipv6; do
if [ -f /proc/sys/net/$ver/conf/$i/$opt ]; then
any=t
- run sysctl -q net/ipv4/conf/$i/$opt="$val"
+ run sysctl -q net/$ver/conf/$i/$opt="$val"
fi
done
case $any in
done
}
+## dnsserver CHAIN
+##
+## Add rules to allow CHAIN to be a DNS server.
+dnsserver () {
+ set -e
+ chain=$1
+
+ ## Allow TCP access. Hitting us with SYNs will make us deploy SYN cookies,
+ ## but that's tolerable.
+ run ip46tables -A $chain -j ACCEPT -p tcp --destination-port 53
+
+ ## Avoid being a DDoS amplifier by rate-limiting incoming DNS queries.
+ clearchain $chain-udp-dns
+ run ip46tables -A $chain-udp-dns -j ACCEPT \
+ -m limit --limit 20/second --limit-burst 300
+ run ip46tables -A $chain-udp-dns -g dns-rate-limit
+ run ip46tables -A $chain -j $chain-udp-dns \
+ -p udp --destination-port 53
+}
+
## openports CHAIN [MIN MAX]
##
## Add rules to CHAIN to allow the open ports.
defhost () {
host=$1
addword allhosts $host
- eval host_type_$host=endsys
+ eval host_type_$host=server
}
-## router
+## hosttype TYPE
##
-## Declare the host to be a router, so it should forward packets and so on.
-router () {
- eval host_type_$host=router
+## Declare the host to have the given type.
+hosttype () {
+ type=$1
+ case $type in
+ router | server | client) ;;
+ *) echo >&2 "$0: bad host type \`$type'"; exit 1 ;;
+ esac
+ eval host_type_$host=$type
}
## iface IFACE NET ...
~mdw / firewall / blobdiff