X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/beb4f0eeafb386d83f2593fec489f4291583e08b..78af294cd1005453cf8b7a0dda4593ba101b345e:/local.m4

diff --git a/local.m4 b/local.m4
index 69122e2..b31b649 100644
--- a/local.m4
+++ b/local.m4
@@ -148,49 +148,54 @@ m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
 
-## Only allow these packets if they're not fragmented.  (Don't trust safe
-## hosts's fragment reassembly to be robust against malicious fragments.)
-## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
-## `! -f', so we do the negation using early return from a subchain.
-clearchain fwd-spec-nofrag
-run iptables -A fwd-spec-nofrag -j RETURN --fragment
-run ip6tables -A fwd-spec-nofrag -j RETURN \
-	-m ipv6header --soft --header frag
-run iptables -A FORWARD -j fwd-spec-nofrag
-
-## Allow ping from safe/noloop to untrusted networks.
-run iptables -A fwd-spec-nofrag -j ACCEPT \
-	-p icmp --icmp-type echo-request \
-	-m mark --mark $to_untrusted/$MASK_TO
-run iptables -A fwd-spec-nofrag -j ACCEPT \
-	-p icmp --icmp-type echo-reply \
-	-m mark --mark $from_untrusted/$MASK_FROM \
-	-m state --state ESTABLISHED
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-	-p ipv6-icmp --icmpv6-type echo-request \
-	-m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-	-p ipv6-icmp --icmpv6-type echo-reply \
-	-m mark --mark $from_untrusted/$MASK_FROM \
-	-m state --state ESTABLISHED
-
-## Allow SSH from safe/noloop to untrusted networks.
-run iptables -A fwd-spec-nofrag -j ACCEPT \
-	-p tcp --destination-port $port_ssh \
-	-m mark --mark $to_untrusted/$MASK_TO
-run iptables -A fwd-spec-nofrag -j ACCEPT \
-	-p tcp --source-port $port_ssh \
-	-m mark --mark $from_untrusted/$MASK_FROM \
-	-m state --state ESTABLISHED
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-	-p tcp --destination-port $port_ssh \
-	-m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-	-p tcp --source-port $port_ssh \
-	-m mark --mark $from_untrusted/$MASK_FROM \
-	-m state --state ESTABLISHED
-
-m4_divert(60)m4_dnl
+case $forward in
+  1)
+
+    ## Only allow these packets if they're not fragmented.  (Don't trust safe
+    ## hosts's fragment reassembly to be robust against malicious fragments.)
+    ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
+    ## of `! -f', so we do the negation using early return from a subchain.
+    clearchain fwd-spec-nofrag
+    run iptables -A fwd-spec-nofrag -j RETURN --fragment
+    run ip6tables -A fwd-spec-nofrag -j RETURN \
+	    -m ipv6header --soft --header frag
+    run iptables -A FORWARD -j fwd-spec-nofrag
+
+    ## Allow ping from safe/noloop to untrusted networks.
+    run iptables -A fwd-spec-nofrag -j ACCEPT \
+	    -p icmp --icmp-type echo-request \
+	    -m mark --mark $to_untrusted/$MASK_TO
+    run iptables -A fwd-spec-nofrag -j ACCEPT \
+	    -p icmp --icmp-type echo-reply \
+	    -m mark --mark $from_untrusted/$MASK_FROM \
+	    -m state --state ESTABLISHED
+    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+	    -p ipv6-icmp --icmpv6-type echo-request \
+	    -m mark --mark $to_untrusted/$MASK_TO
+    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+	    -p ipv6-icmp --icmpv6-type echo-reply \
+	    -m mark --mark $from_untrusted/$MASK_FROM \
+	    -m state --state ESTABLISHED
+
+    ## Allow SSH from safe/noloop to untrusted networks.
+    run iptables -A fwd-spec-nofrag -j ACCEPT \
+	    -p tcp --destination-port $port_ssh \
+	    -m mark --mark $to_untrusted/$MASK_TO
+    run iptables -A fwd-spec-nofrag -j ACCEPT \
+	    -p tcp --source-port $port_ssh \
+	    -m mark --mark $from_untrusted/$MASK_FROM \
+	    -m state --state ESTABLISHED
+    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+	    -p tcp --destination-port $port_ssh \
+	    -m mark --mark $to_untrusted/$MASK_TO
+    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+	    -p tcp --source-port $port_ssh \
+	    -m mark --mark $from_untrusted/$MASK_FROM \
+	    -m state --state ESTABLISHED
+
+    ;;
+esac
+
 m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Kill things we don't understand properly.
@@ -201,10 +206,14 @@ m4_divert(80)m4_dnl
 errorchain poorly-understood REJECT
 
 ## Ban multicast destination addresses in forwarding.
-run iptables -A FORWARD -g poorly-understood \
-	-d 224.0.0.0/4
-run ip6tables -A FORWARD -g poorly-understood \
-	-d ff::/8
+case $forward in
+  1)
+    run iptables -A FORWARD -g poorly-understood \
+	    -d 224.0.0.0/4
+    run ip6tables -A FORWARD -g poorly-understood \
+	    -d ff::/8
+    ;;
+esac
 
 m4_divert(84)m4_dnl
 ###--------------------------------------------------------------------------
@@ -253,9 +262,12 @@ run ip46tables -A inbound -j forbidden
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
 ## Otherwise process as indicated by the mark.
-for i in INPUT FORWARD; do
-  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-done
+run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+case $forward in
+  1)
+    run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+    ;;
+esac
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------