local.m4, precision.m4: Introduce `vpnnat' network class for nefarious hacks.

This allows hosts to route to the outside world via a remote VPN
endpoint, in order to work around local network problems or geographical
restrictions.

diff --git a/local.m4 b/local.m4
index 821cea9..f682680 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -110,11 +110,12 @@ m4_divert(-1)
 
 ## Define the available network classes.
 m4_divert(42)m4_dnl
 
 ## Define the available network classes.
 m4_divert(42)m4_dnl

-defnetclass scary      scary           trusted             mcast
-defnetclass untrusted  scary untrusted trusted             mcast
-defnetclass trusted    scary untrusted trusted safe noloop mcast
-defnetclass safe                       trusted safe noloop mcast
-defnetclass noloop                     trusted safe        mcast
+defnetclass scary      scary           trusted             vpnnat mcast
+defnetclass untrusted  scary untrusted trusted                    mcast
+defnetclass trusted    scary untrusted trusted safe noloop vpnnat mcast
+defnetclass safe                       trusted safe noloop vpnnat mcast
+defnetclass noloop                     trusted safe               mcast
+defnetclass vpnnat     scary           trusted safe               mcast

 
 defnetclass link
 defnetclass mcast
 
 defnetclass link
 defnetclass mcast


@@ -243,6 +244,7 @@ defnet hub virtual
        via housebdry colobdry
 defnet sgo noloop
        addr !172.29.198.0/23
        via housebdry colobdry
 defnet sgo noloop
        addr !172.29.198.0/23

+       addr !10.165.27.0/24

        addr 10.0.0.0/8
        addr 172.16.0.0/12
        addr 192.168.0.0/16
        addr 10.0.0.0/8
        addr 172.16.0.0/12
        addr 192.168.0.0/16


@@ -274,13 +276,13 @@ defhost national
        iface vpn-precision colohub
 
 ## Satellite networks.
        iface vpn-precision colohub
 
 ## Satellite networks.

-defnet binswood noloop
+defnet binswood vpnnat

        addr 10.165.27.0/24
        via colohub
 defhost mango
        hosttype router
        iface eth0 binswood default
        addr 10.165.27.0/24
        via colohub
 defhost mango
        hosttype router
        iface eth0 binswood default

-       iface vpn-precision colo
+       iface vpn-precision colo default

 
 m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 
 m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------

diff --git a/precision.m4 b/precision.m4
index 598a990..2a07763 100644 (file)
--- a/precision.m4
+++ b/precision.m4
@@ -36,5 +36,17 @@ allowservices inbound udp \
 dnsresolver inbound
 dnsserver inbound
 
 dnsresolver inbound
 dnsserver inbound
 

+## Nefarious VPN NAT hack.
+for i in PREROUTING OUTPUT POSTROUTING; do
+  run iptables -t nat -P $i ACCEPT 2>/dev/null || :
+  run iptables -t nat -F $i 2>/dev/null || :
+done
+run iptables -t nat -F
+run iptables -t nat -X
+makeset vpn-nat hash:net family inet
+run iptables -t nat -A POSTROUTING -o eth0 \
+       -m set --match-set vpn-nat dst \
+       -j SNAT --to-source 212.13.198.70
+

 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------