~mdw / firewall / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
eggle.m4, local.m4, local.mk: Add new VPS `eggle'.
[firewall] / fender.m4
diff --git a/fender.m4 b/fender.m4
index a6c7362..ebabf07 100644 (file)
--- a/fender.m4
+++ b/fender.m4
@@ -33,5 +33,13 @@ allowservices inbound tcp \
 ## We have to provide NTP service.  The guests sync to our clock.
 ntpclient inbound $ntp_servers
 
+## Provide NTP service to untrusted clients.
+run ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+         --source-port 123 --destination-port 123
+
+## Guaranteed black hole.  Put this at the very front of the chain.
+run iptables -I INPUT -d 217.169.12.78 -j DROP
+run ip6tables -I INPUT -d 2001:8b0:c92:fff::ffff -j DROP
+
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------
Firewall scripts for distorted.org.uk.