X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/1a42af95515f1f6920f0ba2b45576278bbc2c8cf..38e85ca3b58ddcf50c7db608f5baa2fd19771f8a:/radius.m4

diff --git a/radius.m4 b/radius.m4
index 978a877..d8efa4f 100644
--- a/radius.m4
+++ b/radius.m4
@@ -28,19 +28,10 @@ m4_divert(86)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
 	ident \
-	dns iodine \
 	ssh
 allowservices inbound udp \
-	dns iodine \
 	tripe
 
-## Provide DNS resolution to local untrusted hosts.
-for p in tcp udp; do
-  run iptables -A inbound -j ACCEPT \
-	  -s 172.29.198.0/24 \
-	  -p $p --destination-port $port_dns
-done
-
 ## Provide syslog for evolution.
 run iptables -A inbound -j ACCEPT \
 	-s 172.29.198.2 \
@@ -48,11 +39,30 @@ run iptables -A inbound -j ACCEPT \
 
 ## Other interesting things.
 dnsresolver inbound
+dnsserver inbound
 
 ## IPv6 6-in-4 tunnel.
 run iptables -A inbound -j ACCEPT \
 	-p $proto_ipv6 -s 216.66.80.26
 
+## Permitted special forwarding.
+makeset fwd-allow-http nethash || :
+iptables -A fwd-spec-nofrag -j ACCEPT \
+	-m set --match-set fwd-allow-http dst \
+	-p tcp --destination-port $port_http \
+	-m mark --mark $to_untrusted/$MASK_TO
+iptables -A fwd-spec-nofrag -j ACCEPT \
+	-m set --match-set fwd-allow-http src \
+	-p tcp --destination-port $port_http \
+	-m mark --mark $from_untrusted/$MASK_FROM \
+	-m state --state ESTABLISHED
+
+## BCP38 filtering.  Note that addresses here are seen before NAT is applied.
+bcp38 4 ppp0 62.49.204.144/28 172.29.198.0/23
+bcp38 6 t6-he \
+	2001:470:1f08:1b98::2 2001:470:1f09:1b98::/64 \
+	2001:470:9740::/48
+
 ## NAT for RFC1918 addresses.
 for i in PREROUTING OUTPUT POSTROUTING; do
   run iptables -t nat -P $i ACCEPT 2>/dev/null || :
@@ -62,14 +72,37 @@ run iptables -t nat -F
 run iptables -t nat -X
 
 run iptables -t nat -N outbound
-run iptables -t nat -A outbound -j RETURN ! -o eth0
+run iptables -t nat -A outbound -j RETURN ! -o ppp0
 run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
 run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
 run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
+
+## An awful hack.
+##run iptables -t nat -A outbound -j DNETMAP --reuse \
+##	-s 172.29.199.44 --prefix 62.49.204.157
+##run iptables -t nat -A outbound -j DNETMAP --reuse \
+##	-s 172.29.198.34 --prefix 62.49.204.157
+##run iptables -t nat -A outbound -j DNETMAP --reuse \
+##	-s 172.29.198.11 --prefix 62.49.204.157
+##run iptables -t nat -A PREROUTING -j DNETMAP
+
 run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
 run iptables -t nat -A POSTROUTING -j outbound
 
-## Forbid anything complicated to the NAT address.
+## Set up NAT protocol helpers.  In particular, SIP needs some special
+## twiddling.
+run modprobe nf_conntrack_sip \
+  ports=5060 \
+  sip_direct_signalling=0 \
+  sip_direct_media=0
+for p in ftp sip h323; do
+  run modprobe nf_nat_$p
+done
+
+## Forbid anything complicated to the NAT address.  Be sure to allow ident,
+## though.
+run iptables -A INPUT -d 62.49.204.158 -p tcp -j ACCEPT \
+	-m multiport --destination-ports=113
 run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT
 
 m4_divert(-1)