summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
4942d7c)
Quite a lot of the per-host files involve allowing local untrusted
access to various services. This was being done with explicit network
address ranges, which led to repetition of the rules for IPv4 and IPv6,
or only permitting access through IPv4.
Instead, introduce a new chain (actually promoted from `vampire.m4') for
these local untrusted clients and replace the explicit address ranges.
i2p
## Allow smb and nmb to untrusted hosts.
i2p
## Allow smb and nmb to untrusted hosts.
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
+run ip46tables -A inbound-untrusted -j ACCEPT \
-p udp -m multiport --destination-ports \
-p udp -m multiport --destination-ports \
- $port_netbios_ns,$port_netbios_dgm
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p tcp -m multiport --destination-ports \
- $port_netbios_ssn,$port_microsoft_ds
+ $port_netbios_ns,$port_netbios_dgm
## Open ports for Rygel.
run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 -p igmp
## Open ports for Rygel.
run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 -p igmp
ntpclient inbound $ntp_servers
## Provide NTP service to untrusted clients.
ntpclient inbound $ntp_servers
## Provide NTP service to untrusted clients.
-run iptables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 172.29.198.0/23
-run ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:ba8:1d9::/48
-run ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:8b0:c92::/48
+run ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+ --source-port 123 --destination-port 123
## Guaranteed black hole. Put this at the very front of the chain.
run iptables -I INPUT -d 212.13.198.78 -j DROP
## Guaranteed black hole. Put this at the very front of the chain.
run iptables -I INPUT -d 212.13.198.78 -j DROP
ntpclient inbound $ntp_servers
## Provide NTP service to untrusted clients.
ntpclient inbound $ntp_servers
## Provide NTP service to untrusted clients.
-run iptables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 172.29.198.0/23
-run ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:ba8:1d9::/48
-run ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:8b0:c92::/48
+run ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+ --source-port 123 --destination-port 123
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
## Provide DNS resolution to local untrusted hosts.
for p in tcp udp; do
## Provide DNS resolution to local untrusted hosts.
for p in tcp udp; do
- run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
+ run ip46tables -A inbound -j ACCEPT \
-p $p --destination-port $port_dns
done
-p $p --destination-port $port_dns
done
### Locally-bound packet inspection.
clearchain inbound
### Locally-bound packet inspection.
clearchain inbound
+clearchain inbound-untrusted
## Track connections.
commonrules inbound
## Track connections.
commonrules inbound
openports inbound
## Inspect inbound packets from untrusted sources.
openports inbound
## Inspect inbound packets from untrusted sources.
+run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
+run ip6tables -A inbound -s 2001:ba8:1d9:8000::/49 -g inbound-untrusted
+run ip46tables -A inbound-untrusted -g forbidden
run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
+run iptables -A inbound -s 172.29.198.0/24 -j inbound-untrusted
## Allow responses from the scary outside world into the untrusted net, but
## don't let untrusted things run services.
## Allow responses from the scary outside world into the untrusted net, but
## don't let untrusted things run services.
## Provide DNS resolution to local untrusted hosts.
for p in tcp udp; do
## Provide DNS resolution to local untrusted hosts.
for p in tcp udp; do
- run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
+ run ip46tables -A inbound-untrusted -j ACCEPT \
-p $p --destination-port $port_dns
done
-p $p --destination-port $port_dns
done
-## Extend some services to local untrusted hosts.
-clearchain inbound-untrusted
-run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted
-run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted
-
allowservices inbound-untrusted tcp \
dns \
lpd \
allowservices inbound-untrusted tcp \
dns \
lpd \
ntpclient inbound $ntp_servers
## Provide NTP service to untrusted clients.
ntpclient inbound $ntp_servers
## Provide NTP service to untrusted clients.
-run iptables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 172.29.198.0/23
-run ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:ba8:1d9::/48
-run ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:8b0:c92::/48
+ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+ --source-port 123 --destination-port 123
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
m4_divert(-1)
###----- That's all, folks --------------------------------------------------