X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/08926d25f80fecabb4ef2b3f1e63b3a361ecdb59..994ac8d0782c89a636f47b02a2dc096c72ff58c5:/radius.m4 diff --git a/radius.m4 b/radius.m4 index b2c41ed..6b4a32a 100644 --- a/radius.m4 +++ b/radius.m4 @@ -22,46 +22,16 @@ ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- -### Config settings. - -## This router is involved in a routing asymmetry. -setconf(rp_filter, 0) -setconf(log_martians, 0) - -###-------------------------------------------------------------------------- -### Network interfaces. - -m4_divert(44)m4_dnl -## Interface definitions. -if_dmz=eth0 -if_trusted=eth1 -if_safe=eth2 -if_untrusted=eth3 -if_vpn=$if_dmz,$if_trusted -if_iodine=$if_dmz,$if_trusted -if_its_mz=$if_dmz,$if_trusted -if_its_pi=$if_dmz,$if_trusted - -m4_divert(-1) -###-------------------------------------------------------------------------- ### radius-specific rules. -m4_divert(82)m4_dnl +m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ - dns iodine \ + ident \ ssh allowservices inbound udp \ - dns iodine \ tripe -## Provide DNS resolution to local untrusted hosts. -for p in tcp udp; do - run iptables -A inbound -j ACCEPT \ - -s 172.29.198.0/24 \ - -p $p --destination-port $port_dns -done - ## Provide syslog for evolution. run iptables -A inbound -j ACCEPT \ -s 172.29.198.2 \ @@ -69,6 +39,69 @@ run iptables -A inbound -j ACCEPT \ ## Other interesting things. dnsresolver inbound +dnsserver inbound + +## IPv6 6-in-4 tunnel. +run iptables -A inbound -j ACCEPT \ + -p $proto_ipv6 -s 216.66.80.26 + +## Permitted special forwarding. +makeset fwd-allow-http nethash || : +iptables -A fwd-spec-nofrag -j ACCEPT \ + -m set --match-set fwd-allow-http dst \ + -p tcp --destination-port $port_http \ + -m mark --mark $to_untrusted/$MASK_TO +iptables -A fwd-spec-nofrag -j ACCEPT \ + -m set --match-set fwd-allow-http src \ + -p tcp --destination-port $port_http \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + +## BCP38 filtering. Note that addresses here are seen before NAT is applied. +bcp38 4 ppp0 81.2.113.195 81.187.238.128/28 172.29.198.0/23 +bcp38 6 ppp0 2001:8b0:c92::/48 + +## NAT for RFC1918 addresses. +for i in PREROUTING OUTPUT POSTROUTING; do + run iptables -t nat -P $i ACCEPT 2>/dev/null || : + run iptables -t nat -F $i 2>/dev/null || : +done +run iptables -t nat -F +run iptables -t nat -X + +run iptables -t nat -N outbound +run iptables -t nat -A outbound -j RETURN ! -o ppp0 +run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 +run iptables -t nat -A outbound -j RETURN -d 81.187.238.128/28 +run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 + +## An awful hack. +##run iptables -t nat -A outbound -j DNETMAP --reuse \ +## -s 172.29.199.44 --prefix 81.187.238.142 +##run iptables -t nat -A outbound -j DNETMAP --reuse \ +## -s 172.29.198.34 --prefix 81.187.238.142 +##run iptables -t nat -A outbound -j DNETMAP --reuse \ +## -s 172.29.198.11 --prefix 81.187.238.142 +##run iptables -t nat -A PREROUTING -j DNETMAP + +run iptables -t nat -A outbound -j SNAT --to-source 81.187.238.142 +run iptables -t nat -A POSTROUTING -j outbound + +## Set up NAT protocol helpers. In particular, SIP needs some special +## twiddling. +run modprobe nf_conntrack_sip \ + ports=5060 \ + sip_direct_signalling=0 \ + sip_direct_media=0 +for p in ftp sip h323; do + run modprobe nf_nat_$p +done + +## Forbid anything complicated to the NAT address. Be sure to allow ident, +## though. +run iptables -A INPUT -d 81.187.238.142 -p tcp -j ACCEPT \ + -m multiport --destination-ports=113 +run iptables -A INPUT -d 81.187.238.142 ! -p icmp -j REJECT m4_divert(-1) ###----- That's all, folks --------------------------------------------------