X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/bfdc045deb6149808d309b4ac3c292d9c57a8b38..926655b5205446b631fe68031081f56dcb2c8255:/local.m4

diff --git a/local.m4 b/local.m4
index 56c2253..b321cde 100644
--- a/local.m4
+++ b/local.m4
@@ -43,9 +43,10 @@ defiface $if_trusted \
 	safe:172.29.199.64/27 \
 	untrusted:default
 defiface $if_untrusted \
-	untrusted:172.29.198.0/24
+	untrusted:172.29.198.0/25
 defvpn $if_vpn safe 172.29.199.128/27 \
 	crybaby:172.29.199.129
+defiface $if_iodine untrusted:172.29.198.128/28
 defiface $if_its_mz safe:172.29.199.160/30
 defiface $if_its_pi safe:192.168.0.0/24
 
@@ -55,19 +56,19 @@ m4_divert(60)m4_dnl
 
 ## Allow ping from safe/noloop to untrusted networks.
 run iptables -A FORWARD -j ACCEPT \
-	-p icmp --icmp-type echo-request \
+	-p icmp ! -f --icmp-type echo-request \
 	-m mark --mark $to_untrusted/$MASK_TO
 run iptables -A FORWARD -j ACCEPT \
-	-p icmp --icmp-type echo-reply \
+	-p icmp ! -f --icmp-type echo-reply \
 	-m mark --mark $from_untrusted/$MASK_FROM \
 	-m state --state ESTABLISHED
 
 ## Allow SSH from safe/noloop to untrusted networks.
 run iptables -A FORWARD -j ACCEPT \
-    	-p tcp --destination-port $port_ssh \
+    	-p tcp ! -f --destination-port $port_ssh \
 	-m mark --mark $to_untrusted/$MASK_TO
 run iptables -A FORWARD -j ACCEPT \
-	-p tcp --source-port $port_ssh \
+	-p tcp ! -f --source-port $port_ssh \
 	-m mark --mark $from_untrusted/$MASK_FROM \
 	-m state --state ESTABLISHED
 
@@ -78,6 +79,7 @@ m4_divert(80)m4_dnl
 clearchain inbound
 
 ## Track connections.
+commonrules inbound
 conntrack inbound
 
 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a