X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/f98dfdf667181aad1d53a6e3a3758c2c6caec3a8..d119795:/vampire.m4 diff --git a/vampire.m4 b/vampire.m4 index e5ab346..55c7961 100644 --- a/vampire.m4 +++ b/vampire.m4 @@ -1,4 +1,4 @@ -### -*-m4-*- +### -*-sh-*- ### ### Firewall configuration for vampire ### @@ -22,76 +22,101 @@ ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- +### Config settings. + +## This router is involved in a routing asymmetry. +setconf(rp_filter, 0) +setconf(log_martians, 0) + +###-------------------------------------------------------------------------- ### Network interfaces. m4_divert(44)m4_dnl ## Interface definitions. -if_untrusted=eth0.1 -if_trusted=eth0.0 +if_dmz=eth0.0 +if_trusted=eth0.1 +if_safe=$if_dmz,$if_trusted +if_untrusted=eth0.3 if_vpn=vpn-+ if_iodine=dns+ -if_its_mz=eth0.0 -if_its_pi=eth0.0 +if_its_mz=$if_dmz,$if_trusted +if_its_pi=$if_dmz,$if_trusted m4_divert(-1) ###-------------------------------------------------------------------------- ### vampire-specific rules. -m4_divert(35)m4_dnl -errorchain ddos-evil-dns DROP -## Invalid DNS request with probably-forged sender address, with intent to -## cause DDOS. - m4_divert(82)m4_dnl -## Repelling evil DDos attack. -run ipset -N ddos-evil-dns iphash 2>/dev/null || : -run iptables -A inbound -g ddos-evil-dns \ - -m set --set ddos-evil-dns src \ - -p udp --destination-port $port_dns - ## Externally visible services. allowservices inbound tcp \ finger ident \ dns iodine \ ssh \ - smtp \ + smtp submission \ gnutella_svc \ ftp ftp_data \ rsync \ - disorder \ - http https \ - git -allowservices inbound tcp \ - tor_public tor_directory + imaps \ + disorder mpd \ + http https squid \ + git \ + tor_public tor_directory i2p allowservices inbound udp \ dns iodine \ tripe \ - gnutella_svc + gnutella_svc \ + i2p -## Provide DNS resolution to local untrusted hosts. -for p in tcp udp; do - run iptables -A inbound -j ACCEPT \ - -s 172.29.198.0/24 \ - -p $p --destination-port $port_dns -done +## Extend some services to local untrusted hosts. +clearchain inbound-untrusted +run iptables -A inbound -j inbound-untrusted \ + -s 172.29.198.0/24 + +allowservices inbound-untrusted tcp \ + dns \ + netbios_ssn microsoft_ds +allowservices inbound-untrusted udp \ + dns \ + tftp ## Provide syslog for evolution. run iptables -A inbound -j ACCEPT \ -s 172.29.198.2 \ -p udp --destination-port $port_syslog -## Provide a web cache to local untrusted hosts. -run iptables -A inbound -j ACCEPT \ - -s 172.29.198.0/24 \ - -p tcp --destination-port $port_squid - ## Watch outgoing Tor usage. run iptables -A OUTPUT -m multiport \ -p tcp --source-ports $port_tor_public,$port_tor_directory ## Other interesting things. dnsresolver inbound -ntpclient inbound 158.152.1.76 158.152.1.204 194.159.253.2 +ntpclient inbound $ntp_servers + +## NAT for RFC1918 addresses. +for i in PREROUTING OUTPUT POSTROUTING; do + run iptables -t nat -P $i ACCEPT 2>/dev/null || : + run iptables -t nat -F $i 2>/dev/null || : +done +run iptables -t nat -F +run iptables -t nat -X + +run iptables -t nat -N outbound +run iptables -t nat -A outbound -j RETURN ! -o $if_dmz +run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 +run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28 +run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 +run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 +run iptables -t nat -A POSTROUTING -j outbound + +## Set up NAT protocol helpers. In particular, SIP needs some special +## twiddling. +run modprobe nf_conntrack_sip \ + ports=5060 \ + sip_direct_signalling=0 \ + sip_direct_media=0 +for p in ftp sip h323; do + run modprobe nf_nat_$p +done m4_divert(-1) ###----- That's all, folks --------------------------------------------------