X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/da36fc7d6e6f5635cfcb68cad8c4b7b38c1b634e..HEAD:/fender.m4 diff --git a/fender.m4 b/fender.m4 index f1d84d8..ebabf07 100644 --- a/fender.m4 +++ b/fender.m4 @@ -34,62 +34,12 @@ allowservices inbound tcp \ ntpclient inbound $ntp_servers ## Provide NTP service to untrusted clients. -iptables -A inbound -p udp -j ACCEPT \ - --source-port 123 --destination-port 123 \ - -s 172.29.198.0/23 -ip6tables -A inbound -p udp -j ACCEPT \ - --source-port 123 --destination-port 123 \ - -s 2001:470:9740::/48 +run ip46tables -A inbound-untrusted -p udp -j ACCEPT \ + --source-port 123 --destination-port 123 ## Guaranteed black hole. Put this at the very front of the chain. -run iptables -I INPUT -d 212.13.198.78 -j DROP -run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP - -## Ethernet bridge-level filtering for source addresses. -run ebtables -F -for i in log limit ip ip6; do run modprobe ebt-$i; done - -for c in bad-source-addr check-eth0 bcp38 check-bcp38; do - run ebtables -X $c >/dev/null 2>&1 || : -done - -for ch in bad-source-addr bcp38; do - run ebtables -N $ch - run ebtables -A $ch \ - --limit 20/second --limit-burst 100 \ - --log-prefix "fw: $ch(br)" --log-ip --log-ip6 - run ebtables -A $ch -j DROP -done - -run ebtables -N check-eth0 -run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28 -run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1 -run ebtables -A check-eth0 -j bad-source-addr \ - -p ip6 --ip6-source 2001:ba8:1d9::/48 -run ebtables -A check-eth0 -j bad-source-addr \ - -p ip6 --ip6-source 2001:ba8:0:1d9::/64 -run ebtables -A check-eth0 -j RETURN -p ip6 -run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30 -run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68 -run ebtables -A check-eth0 -j bad-source-addr -p ip -run ebtables -A INPUT -j check-eth0 -i bond0 -run ebtables -A FORWARD -j check-eth0 -i bond0 - -run ebtables -N check-bcp38 -run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 212.13.198.64/28 -run ebtables -A check-bcp38 -j bcp38 -p ip -run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::/64 -run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:1d9::/48 -run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source fe80::/10 -run ebtables -A check-bcp38 -j bcp38 -p ip6 -run ebtables -A FORWARD -j check-bcp38 -o bond0 - -## There's a hideous bug in Linux 3.2.51-1's ebtables: for some reason it -## misparses (at least) locally originated multicast packets, and tries to -## extract IP header fields relative to the start of the Ethernet frame. The -## result is obviously a hideous mess. Don't try to do BCP38 checking for -## locally originated packets until this is fixed. -##run ebtables -A OUTPUT -j check-bcp38 -o bond0 +run iptables -I INPUT -d 217.169.12.78 -j DROP +run ip6tables -I INPUT -d 2001:8b0:c92:fff::ffff -j DROP m4_divert(-1) ###----- That's all, folks --------------------------------------------------