defnet untrusted untrusted
addr 172.29.198.0/25 2001:470:9740:8001::/64
forwards househub
-defnet iodine untrusted
- addr 172.29.198.128/28
defnet househub virtual
forwards housebdry dmz unsafe safe untrusted
## House hosts.
defhost radius
- router
- iface eth0 dmz unsafe safe
- iface eth1 dmz unsafe safe
- iface eth2 safe
- iface eth3 untrusted
+ hosttype router
+ iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
+ iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
+ iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
+ iface eth3 untrusted vpn default
+ iface ppp0 default
+ iface t6-he default
+ iface vpn-precision colobdry vpn sgo
+ iface vpn-chiark sgo
+ iface vpn-+ vpn
defhost roadstar
iface eth0 dmz unsafe
iface eth1 dmz unsafe
iface eth0 dmz unsafe
iface eth1 dmz unsafe
defhost artist
- iface eth0 dmz unsafe
- iface eth1 dmz unsafe
+ hosttype router
+ iface eth0 dmz unsafe untrusted
+ iface eth1 dmz unsafe untrusted
+ iface eth3 untrusted
defhost vampire
- router
- iface eth0.0 dmz unsafe safe
- iface eth0.1 dmz unsafe safe
- iface eth0.2 safe
- iface eth0.3 untrusted
- iface dns0 iodine
- iface vpn-precision colobdry vpn
+ hosttype router
+ iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
+ iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
+ iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
+ iface eth0.7 untrusted
+ iface vpn-precision colobdry vpn sgo
iface vpn-chiark sgo
iface vpn-+ vpn
defhost ibanez
iface br-unsafe unsafe
defhost gibson
+ hosttype client
iface eth0 unsafe
## Colocated networks.
addr 172.29.199.176/28 2001:ba8:1d9:2::/64
forwards colohub
defnet colohub virtual
- forwards colobdry jump colo
+ forwards colobdry jump colo iodine
defnet colobdry virtual
forwards colohub hub
noxit jump
+defnet iodine untrusted
+ addr 172.29.198.128/28
+ forwards colohub
## Colocated hosts.
defhost fender
iface br-jump jump colo
iface br-colo jump colo
defhost precision
- router
- iface eth0 jump colo
- iface eth1 jump colo
- iface vpn-vampire housebdry vpn
+ hosttype router
+ iface eth0 jump colo sgo
+ iface eth1 jump colo sgo
+ iface vpn-radius housebdry vpn sgo
iface vpn-chiark sgo
iface vpn-+ vpn
defhost telecaster
defhost jazz
iface eth0 jump colo
iface eth1 jump colo
+ iface dns0 iodine
## Other networks.
defnet hub virtual
-m state --state ESTABLISHED
## Allow SSH from safe/noloop to untrusted networks.
- run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --destination-port $port_ssh \
- -m mark --mark $to_untrusted/$MASK_TO
- run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --source-port $port_ssh \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
- run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ run ip46tables -A fwd-spec-nofrag -j ACCEPT \
-p tcp --destination-port $port_ssh \
-m mark --mark $to_untrusted/$MASK_TO
- run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ run ip46tables -A fwd-spec-nofrag -j ACCEPT \
-p tcp --source-port $port_ssh \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED