## Define the available network classes.
m4_divert(42)m4_dnl
- defnetclass untrusted untrusted trusted
- defnetclass trusted untrusted trusted safe noloop
- defnetclass safe trusted safe noloop
- defnetclass noloop trusted safe
+ defnetclass untrusted untrusted trusted mcast
+ defnetclass trusted untrusted trusted safe noloop mcast
+ defnetclass safe trusted safe noloop mcast
+ defnetclass noloop trusted safe mcast
+ defnetclass link
+ defnetclass mcast
m4_divert(-1)
m4_divert(26)m4_dnl
iface eth1 dmz unsafe
defhost vampire
router
- iface eth0.0 dmz unsafe safe
- iface eth0.1 dmz unsafe safe
+ iface eth0.0 dmz unsafe safe default
+ iface eth0.1 dmz unsafe safe default
iface eth0.2 safe
- iface eth0.3 untrusted
+ iface eth0.3 untrusted default
iface dns0 dns
iface vpn-+ vpn
iface vpn-precision colobdry vpn
+ iface t6-he default
defhost ibanez
iface br-dmz dmz unsafe
iface br-unsafe unsafe
run iptables -A fwd-spec-nofrag -j RETURN --fragment
run ip6tables -A fwd-spec-nofrag -j RETURN \
-m ipv6header --soft --header frag
- run iptables -A FORWARD -j fwd-spec-nofrag
+ run ip46tables -A FORWARD -j fwd-spec-nofrag
## Allow ping from safe/noloop to untrusted networks.
run iptables -A fwd-spec-nofrag -j ACCEPT \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-request \
+ -p icmpv6 --icmpv6-type echo-request \
-m mark --mark $to_untrusted/$MASK_TO
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-reply \
+ -p icmpv6 --icmpv6-type echo-reply \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
-s 172.29.198.0/23 \
-p udp --source-port $port_bootpc --destination-port $port_bootps
- ## Incoming multicast on a network interface associated with a trusted
- ## network is OK, since it must have originated there (or been forwarded, but
- ## we don't do that yet).
- seen=:-:
- for net in $allnets; do
- eval class=\$net_class_$net
- case $class in trusted) ;; *) continue ;; esac
- for iface in $(net_interfaces FWHOST $net); do
- case "$seen" in *:$iface:*) continue ;; esac
- seen=$seen$iface:
- run iptables -A inbound -j ACCEPT \
- -s 0.0.0.0 -d 224.0.0.0/24 \
- -i $iface
- done
- done
-
## Allow incoming ping. This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
## Otherwise process as indicated by the mark.
- run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
- case $forward in
- 1)
- run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
- ;;
- esac
+ for i in $inchains; do
+ run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+ done
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
dns iodine \
ssh \
smtp submission \
+ rdesktop \
gnutella_svc \
ftp ftp_data \
rsync \
## Extend some services to local untrusted hosts.
clearchain inbound-untrusted
- run iptables -A inbound -j inbound-untrusted \
- -s 172.29.198.0/24
+ run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted
+ run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted
allowservices inbound-untrusted tcp \
dns \
dnsresolver inbound
ntpclient inbound $ntp_servers
+## IPv6 6-in-4 tunnel.
+run iptables -A inbound -j ACCEPT \
+ -p $proto_ipv6 -s 216.66.80.26
+
+## NAT for RFC1918 addresses.
+for i in PREROUTING OUTPUT POSTROUTING; do
+ run iptables -t nat -P $i ACCEPT 2>/dev/null || :
+ run iptables -t nat -F $i 2>/dev/null || :
+done
+run iptables -t nat -F
+run iptables -t nat -X
+
+run iptables -t nat -N outbound
+run iptables -t nat -A outbound -j RETURN ! -o eth0.0
+run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
+run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
+run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
+run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
+run iptables -t nat -A POSTROUTING -j outbound
+
+## Set up NAT protocol helpers. In particular, SIP needs some special
+## twiddling.
+run modprobe nf_conntrack_sip \
+ ports=5060 \
+ sip_direct_signalling=0 \
+ sip_direct_media=0
+for p in ftp sip h323; do
+ run modprobe nf_nat_$p
+done
+
+## Forbid anything complicated to the NAT address.
+run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT
+
m4_divert(-1)
###----- That's all, folks --------------------------------------------------