## Packet arrived on wrong interface for its source address. Drops the
## packet, since there's nowhere sensible to send an error.
+errorchain dns-rate-limit DROP
+## Dropped incoming DNS query due to rate limiting. The source address is
+## suspicious, so don't produce ICMP.
+
errorchain bad-destination-address REJECT
## Packet arrived on non-loopback interface with loopback destination.
## Ensure that the named chains exist and are empty.
clearchain () {
set -e
- for chain; do
- case $chain in
- *:*) table=${chain%:*} chain=${chain#*:} ;;
+ for _chain; do
+ case $_chain in
+ *:*) table=${_chain%:*} _chain=${_chain#*:} ;;
*) table=filter ;;
esac
- run ip46tables -t $table -N $chain 2>/dev/null || :
+ run ip46tables -t $table -N $_chain 2>/dev/null || :
done
}
done
}
+## dnsserver CHAIN
+##
+## Add rules to allow CHAIN to be a DNS server.
+dnsserver () {
+ set -e
+ chain=$1
+
+ ## Allow TCP access. Hitting us with SYNs will make us deploy SYN cookies,
+ ## but that's tolerable.
+ run ip46tables -A $chain -j ACCEPT -p tcp --destination-port 53
+
+ ## Avoid being a DDoS amplifier by rate-limiting incoming DNS queries.
+ clearchain $chain-udp-dns
+ run ip46tables -A $chain-udp-dns -j ACCEPT \
+ -m limit --limit 20/second --limit-burst 300
+ run ip46tables -A $chain-udp-dns -g dns-rate-limit
+ run ip46tables -A $chain -j $chain-udp-dns \
+ -p udp --destination-port 53
+}
+
## openports CHAIN [MIN MAX]
##
## Add rules to CHAIN to allow the open ports.
## Externally visible services.
allowservices inbound tcp \
ident \
- dns \
ssh
allowservices inbound udp \
- dns \
tripe
## Other interesting things.
dnsresolver inbound
+dnsserver inbound
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
## Externally visible services.
allowservices inbound tcp \
ident \
- dns iodine \
ssh
allowservices inbound udp \
- dns iodine \
tripe
-## Provide DNS resolution to local untrusted hosts.
-for p in tcp udp; do
- run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p $p --destination-port $port_dns
-done
-
## Provide syslog for evolution.
run iptables -A inbound -j ACCEPT \
-s 172.29.198.2 \
## Other interesting things.
dnsresolver inbound
+dnsserver inbound
## IPv6 6-in-4 tunnel.
run iptables -A inbound -j ACCEPT \
## Externally visible services.
allowservices inbound tcp \
finger ident \
- dns iodine \
ssh \
smtp submission \
gnutella_svc \
git \
tor_public tor_directory i2p
allowservices inbound udp \
- dns iodine \
tripe \
gnutella_svc \
i2p
## Other interesting things.
dnsresolver inbound
+dnsserver inbound
ntpclient inbound $ntp_servers
m4_divert(-1)