X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/04182f269d527b884f2b528bb3b7fa1826e429e9..8670c87d52da8c68fa8fb99ff1d4976d4a72675a:/vampire.m4 diff --git a/vampire.m4 b/vampire.m4 index b739cda..ed9bd9b 100644 --- a/vampire.m4 +++ b/vampire.m4 @@ -1,4 +1,4 @@ -### -*-m4-*- +### -*-sh-*- ### ### Firewall configuration for vampire ### @@ -22,75 +22,53 @@ ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- -### Network interfaces. - -m4_divert(44)m4_dnl -## Interface definitions. -if_untrusted=eth0.1 -if_trusted=eth0.0 -if_vpn=vpn-+ -if_its_mz=eth0.0 -if_its_pi=eth0.0 - -m4_divert(-1) -###-------------------------------------------------------------------------- ### vampire-specific rules. -m4_divert(35)m4_dnl -errorchain ddos-evil-dns DROP -## Invalid DNS request with probably-forged sender address, with intent to -## cause DDOS. - -m4_divert(82)m4_dnl -## Repelling evil DDos attack. -run ipset -N ddos-evil-dns iphash 2>/dev/null || : -run iptables -A inbound -g ddos-evil-dns \ - -m set --set ddos-evil-dns src \ - -p udp --destination-port $port_dns - +m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ - finger ident \ - dns \ + ident \ ssh \ - smtp \ - gnutella_svc \ - ftp ftp_data \ - rsync \ - mpd \ - http https \ - git -allowservices inbound tcp \ - tor_public tor_directory + tor_public tor_directory i2p allowservices inbound udp \ - dns \ tripe \ - gnutella_svc + gnutella_svc \ + i2p -## Provide DNS resolution to local untrusted hosts. -for p in tcp udp; do - run iptables -A inbound -j ACCEPT \ - -s 172.29.198.0/24 \ - -p $p --destination-port $port_dns -done +## Extend some services to local untrusted hosts. +clearchain inbound-untrusted +run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted +run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted + +allowservices inbound-untrusted tcp \ + dns \ + lpd \ + netbios_ssn microsoft_ds +allowservices inbound-untrusted udp \ + dns \ + tftp ## Provide syslog for evolution. run iptables -A inbound -j ACCEPT \ -s 172.29.198.2 \ -p udp --destination-port $port_syslog -## Provide a web cache to local untrusted hosts. -run iptables -A inbound -j ACCEPT \ - -s 172.29.198.0/24 \ - -p tcp --destination-port $port_squid - ## Watch outgoing Tor usage. run iptables -A OUTPUT -m multiport \ -p tcp --source-ports $port_tor_public,$port_tor_directory ## Other interesting things. dnsresolver inbound -ntpclient inbound 158.152.1.76 158.152.1.204 194.159.253.2 +dnsserver inbound +ntpclient inbound $ntp_servers + +## Provide NTP service to untrusted clients. +iptables -A inbound -p udp -j ACCEPT \ + --source-port 123 --destination-port 123 \ + -s 172.29.198.0/23 +ip6tables -A inbound -p udp -j ACCEPT \ + --source-port 123 --destination-port 123 \ + -s 2001:470:9740::/48 m4_divert(-1) ###----- That's all, folks --------------------------------------------------