~mdw
/
firewall
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
fender.m4: BCP38 source-address filtering, at ebtables level.
[firewall]
/
radius.m4
diff --git
a/radius.m4
b/radius.m4
index
b8481bb
..
090249c
100644
(file)
--- a/
radius.m4
+++ b/
radius.m4
@@
-57,6
+57,12
@@
iptables -A fwd-spec-nofrag -j ACCEPT \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
+## BCP38 filtering. Note that addresses here are seen before NAT is applied.
+bcp38 4 ppp0 62.49.204.144/28 172.29.198.0/23
+bcp38 6 t6-he \
+ 2001:470:1f08:1b98::2 2001:470:1f09:1b98::/64 \
+ 2001:470:9740::/48
+
## NAT for RFC1918 addresses.
for i in PREROUTING OUTPUT POSTROUTING; do
run iptables -t nat -P $i ACCEPT 2>/dev/null || :
## NAT for RFC1918 addresses.
for i in PREROUTING OUTPUT POSTROUTING; do
run iptables -t nat -P $i ACCEPT 2>/dev/null || :