X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/dad380658e5cb8f7233bc5f8ab328a2959f9f6ce..994ac8d0782c89a636f47b02a2dc096c72ff58c5:/radius.m4 diff --git a/radius.m4 b/radius.m4 index e543878..6b4a32a 100644 --- a/radius.m4 +++ b/radius.m4 @@ -24,23 +24,14 @@ ###-------------------------------------------------------------------------- ### radius-specific rules. -m4_divert(84)m4_dnl +m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ ident \ - dns iodine \ ssh allowservices inbound udp \ - dns iodine \ tripe -## Provide DNS resolution to local untrusted hosts. -for p in tcp udp; do - run iptables -A inbound -j ACCEPT \ - -s 172.29.198.0/24 \ - -p $p --destination-port $port_dns -done - ## Provide syslog for evolution. run iptables -A inbound -j ACCEPT \ -s 172.29.198.2 \ @@ -48,11 +39,28 @@ run iptables -A inbound -j ACCEPT \ ## Other interesting things. dnsresolver inbound +dnsserver inbound ## IPv6 6-in-4 tunnel. run iptables -A inbound -j ACCEPT \ -p $proto_ipv6 -s 216.66.80.26 +## Permitted special forwarding. +makeset fwd-allow-http nethash || : +iptables -A fwd-spec-nofrag -j ACCEPT \ + -m set --match-set fwd-allow-http dst \ + -p tcp --destination-port $port_http \ + -m mark --mark $to_untrusted/$MASK_TO +iptables -A fwd-spec-nofrag -j ACCEPT \ + -m set --match-set fwd-allow-http src \ + -p tcp --destination-port $port_http \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + +## BCP38 filtering. Note that addresses here are seen before NAT is applied. +bcp38 4 ppp0 81.2.113.195 81.187.238.128/28 172.29.198.0/23 +bcp38 6 ppp0 2001:8b0:c92::/48 + ## NAT for RFC1918 addresses. for i in PREROUTING OUTPUT POSTROUTING; do run iptables -t nat -P $i ACCEPT 2>/dev/null || : @@ -62,15 +70,38 @@ run iptables -t nat -F run iptables -t nat -X run iptables -t nat -N outbound -run iptables -t nat -A outbound -j RETURN ! -o eth0 +run iptables -t nat -A outbound -j RETURN ! -o ppp0 run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 -run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28 +run iptables -t nat -A outbound -j RETURN -d 81.187.238.128/28 run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 -run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 + +## An awful hack. +##run iptables -t nat -A outbound -j DNETMAP --reuse \ +## -s 172.29.199.44 --prefix 81.187.238.142 +##run iptables -t nat -A outbound -j DNETMAP --reuse \ +## -s 172.29.198.34 --prefix 81.187.238.142 +##run iptables -t nat -A outbound -j DNETMAP --reuse \ +## -s 172.29.198.11 --prefix 81.187.238.142 +##run iptables -t nat -A PREROUTING -j DNETMAP + +run iptables -t nat -A outbound -j SNAT --to-source 81.187.238.142 run iptables -t nat -A POSTROUTING -j outbound -## Forbid anything complicated to the NAT address. -run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT +## Set up NAT protocol helpers. In particular, SIP needs some special +## twiddling. +run modprobe nf_conntrack_sip \ + ports=5060 \ + sip_direct_signalling=0 \ + sip_direct_media=0 +for p in ftp sip h323; do + run modprobe nf_nat_$p +done + +## Forbid anything complicated to the NAT address. Be sure to allow ident, +## though. +run iptables -A INPUT -d 81.187.238.142 -p tcp -j ACCEPT \ + -m multiport --destination-ports=113 +run iptables -A INPUT -d 81.187.238.142 ! -p icmp -j REJECT m4_divert(-1) ###----- That's all, folks --------------------------------------------------