X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/36307da92b89c2413f49e2b705f73b2d1ec4e849..38e85ca3b58ddcf50c7db608f5baa2fd19771f8a:/radius.m4 diff --git a/radius.m4 b/radius.m4 index c1dcb90..d8efa4f 100644 --- a/radius.m4 +++ b/radius.m4 @@ -22,37 +22,16 @@ ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- -### Network interfaces. - -m4_divert(44)m4_dnl -## Interface definitions. -if_untrusted=eth1 -if_trusted=eth0 -if_vpn=eth0 -if_iodine=eth0 -if_its_mz=eth0 -if_its_pi=eth0 - -m4_divert(-1) -###-------------------------------------------------------------------------- ### radius-specific rules. -m4_divert(82)m4_dnl +m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ - dns iodine \ + ident \ ssh allowservices inbound udp \ - dns iodine \ tripe -## Provide DNS resolution to local untrusted hosts. -for p in tcp udp; do - run iptables -A inbound -j ACCEPT \ - -s 172.29.198.0/24 \ - -p $p --destination-port $port_dns -done - ## Provide syslog for evolution. run iptables -A inbound -j ACCEPT \ -s 172.29.198.2 \ @@ -60,6 +39,71 @@ run iptables -A inbound -j ACCEPT \ ## Other interesting things. dnsresolver inbound +dnsserver inbound + +## IPv6 6-in-4 tunnel. +run iptables -A inbound -j ACCEPT \ + -p $proto_ipv6 -s 216.66.80.26 + +## Permitted special forwarding. +makeset fwd-allow-http nethash || : +iptables -A fwd-spec-nofrag -j ACCEPT \ + -m set --match-set fwd-allow-http dst \ + -p tcp --destination-port $port_http \ + -m mark --mark $to_untrusted/$MASK_TO +iptables -A fwd-spec-nofrag -j ACCEPT \ + -m set --match-set fwd-allow-http src \ + -p tcp --destination-port $port_http \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + +## BCP38 filtering. Note that addresses here are seen before NAT is applied. +bcp38 4 ppp0 62.49.204.144/28 172.29.198.0/23 +bcp38 6 t6-he \ + 2001:470:1f08:1b98::2 2001:470:1f09:1b98::/64 \ + 2001:470:9740::/48 + +## NAT for RFC1918 addresses. +for i in PREROUTING OUTPUT POSTROUTING; do + run iptables -t nat -P $i ACCEPT 2>/dev/null || : + run iptables -t nat -F $i 2>/dev/null || : +done +run iptables -t nat -F +run iptables -t nat -X + +run iptables -t nat -N outbound +run iptables -t nat -A outbound -j RETURN ! -o ppp0 +run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 +run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28 +run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 + +## An awful hack. +##run iptables -t nat -A outbound -j DNETMAP --reuse \ +## -s 172.29.199.44 --prefix 62.49.204.157 +##run iptables -t nat -A outbound -j DNETMAP --reuse \ +## -s 172.29.198.34 --prefix 62.49.204.157 +##run iptables -t nat -A outbound -j DNETMAP --reuse \ +## -s 172.29.198.11 --prefix 62.49.204.157 +##run iptables -t nat -A PREROUTING -j DNETMAP + +run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 +run iptables -t nat -A POSTROUTING -j outbound + +## Set up NAT protocol helpers. In particular, SIP needs some special +## twiddling. +run modprobe nf_conntrack_sip \ + ports=5060 \ + sip_direct_signalling=0 \ + sip_direct_media=0 +for p in ftp sip h323; do + run modprobe nf_nat_$p +done + +## Forbid anything complicated to the NAT address. Be sure to allow ident, +## though. +run iptables -A INPUT -d 62.49.204.158 -p tcp -j ACCEPT \ + -m multiport --destination-ports=113 +run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT m4_divert(-1) ###----- That's all, folks --------------------------------------------------