## 172.29.198.0/24 Untrusted networks.
## .0/25 house wireless net
## .128/28 iodine (IP-over-DNS) network
+## .144/28 hippotat (IP-over-HTTP) network
## .160/27 untrusted virtual network
##
## 172.29.199.0/24 Trusted networks.
defhost gibson
hosttype client
- iface eth0.5 unsafe
+ iface eth0 unsafe
## Colocated networks.
defnet jump trusted
defnet iodine untrusted
addr 172.29.198.128/28
via colohub
+defnet hippotat untrusted
+ addr 172.29.198.144/28
+ via colohub
## Colocated hosts.
defhost fender
iface eth0 jump colo vpn
iface eth1 jump colo vpn
iface dns0 iodine
+ iface hippo-svc hippotat
iface vpn-+ vpn
## Other networks.
;;
esac
+m4_divert(82)m4_dnl
+###--------------------------------------------------------------------------
+### Check for source routing.
+
+clearchain check-srcroute
+
+run iptables -A check-srcroute -g forbidden \
+ -m ipv4options --any --flags lsrr,ssrr
+run ip6tables -A check-srcroute -g forbidden \
+ -m rt
+
+for c in INPUT FORWARD; do
+ for m in $from_scary $from_untrusted; do
+ run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
+ done
+done
+
m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.
openports inbound
## Inspect inbound packets from untrusted sources.
-run ip46tables -A inbound -j forbidden
+run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
~mdw / firewall / blobdiff