defnet untrusted untrusted
addr 172.29.198.0/25 2001:470:9740:8001::/64
forwards househub
-defnet iodine untrusted
- addr 172.29.198.128/28
defnet househub virtual
forwards housebdry dmz unsafe safe untrusted
hosttype router
iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
- iface eth2 safe vpn
+ iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
iface eth3 untrusted vpn default
+ iface ppp0 default
iface t6-he default
iface vpn-precision colobdry vpn sgo
iface vpn-chiark sgo
iface eth1 dmz unsafe
defhost artist
hosttype router
- iface eth0 dmz unsafe
- iface eth1 dmz unsafe
+ iface eth0 dmz unsafe untrusted
+ iface eth1 dmz unsafe untrusted
iface eth3 untrusted
defhost vampire
hosttype router
- iface eth0.0 dmz unsafe untrusted safe vpn sgo colobdry
- iface eth0.1 dmz unsafe untrusted safe vpn sgo colobdry
- iface eth0.2 safe
- iface eth0.3 untrusted
- iface dns0 iodine
+ iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
+ iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
+ iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
+ iface eth0.7 untrusted
iface vpn-precision colobdry vpn sgo
iface vpn-chiark sgo
iface vpn-+ vpn
addr 172.29.199.176/28 2001:ba8:1d9:2::/64
forwards colohub
defnet colohub virtual
- forwards colobdry jump colo
+ forwards colobdry jump colo iodine
defnet colobdry virtual
forwards colohub hub
noxit jump
+defnet iodine untrusted
+ addr 172.29.198.128/28
+ forwards colohub
## Colocated hosts.
defhost fender
defhost jazz
iface eth0 jump colo
iface eth1 jump colo
+ iface dns0 iodine
## Other networks.
defnet hub virtual
-m state --state ESTABLISHED
## Allow SSH from safe/noloop to untrusted networks.
- run iptables -A fwd-spec-nofrag -j ACCEPT \
+ run ip46tables -A fwd-spec-nofrag -j ACCEPT \
-p tcp --destination-port $port_ssh \
-m mark --mark $to_untrusted/$MASK_TO
- run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --source-port $port_ssh \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
- run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --destination-port $port_ssh \
- -m mark --mark $to_untrusted/$MASK_TO
- run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ run ip46tables -A fwd-spec-nofrag -j ACCEPT \
-p tcp --source-port $port_ssh \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED