## Set forwarding options. Apparently setting ip_forward clobbers other
## settings, so put this first.
case $host_type_<::>FWHOST in
- router) forward=1 ;;
- *) forward=0 ;;
+ router) forward=1 host=0 ;;
+ server) forward=0 host=0 ;;
+ client) forward=0 host=1 ;;
esac
setopt ip_forward $forward
setdevopt forwarding $forward
+for i in \
+ accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen
+do
+ setdevopt $i $host
+done
case $forward in
0) inchains="INPUT" ;;
1) inchains="INPUT FORWARD" ;;
for ver in ipv4 ipv6; do
if [ -f /proc/sys/net/$ver/conf/$i/$opt ]; then
any=t
- run sysctl -q net/ipv4/conf/$i/$opt="$val"
+ run sysctl -q net/$ver/conf/$i/$opt="$val"
fi
done
case $any in
defhost () {
host=$1
addword allhosts $host
- eval host_type_$host=endsys
+ eval host_type_$host=server
}
-## router
+## hosttype TYPE
##
-## Declare the host to be a router, so it should forward packets and so on.
-router () {
- eval host_type_$host=router
+## Declare the host to have the given type.
+hosttype () {
+ type=$1
+ case $type in
+ router | server | client) ;;
+ *) echo >&2 "$0: bad host type \`$type'"; exit 1 ;;
+ esac
+ eval host_type_$host=$type
}
## iface IFACE NET ...
## House hosts.
defhost radius
- router
+ hosttype router
iface eth0 dmz unsafe safe
iface eth1 dmz unsafe safe
iface eth2 safe
iface eth0 dmz unsafe
iface eth1 dmz unsafe
defhost vampire
- router
- iface eth0.0 dmz unsafe safe
- iface eth0.1 dmz unsafe safe
+ hosttype router
+ iface eth0.0 dmz unsafe safe default
+ iface eth0.1 dmz unsafe safe default
iface eth0.2 safe
- iface eth0.3 untrusted
+ iface eth0.3 untrusted default
iface dns0 iodine
iface vpn-precision colobdry vpn
iface vpn-chiark sgo
iface br-unsafe unsafe
defhost gibson
+ hosttype client
iface eth0 unsafe
## Colocated networks.
iface br-jump jump colo
iface br-colo jump colo
defhost precision
- router
+ hosttype router
iface eth0 jump colo
iface eth1 jump colo
iface vpn-vampire housebdry vpn
defport imaps 993
defport h323 1720
defport squid 3128
+defport rdesktop 3389
defport tripe 4070
defport siplo 5000
defport siphi 5100
dnsresolver inbound
ntpclient inbound $ntp_servers
+## IPv6 6-in-4 tunnel.
+run iptables -A inbound -j ACCEPT \
+ -p $proto_ipv6 -s 216.66.80.26
+
+## NAT for RFC1918 addresses.
+for i in PREROUTING OUTPUT POSTROUTING; do
+ run iptables -t nat -P $i ACCEPT 2>/dev/null || :
+ run iptables -t nat -F $i 2>/dev/null || :
+done
+run iptables -t nat -F
+run iptables -t nat -X
+
+run iptables -t nat -N outbound
+run iptables -t nat -A outbound -j RETURN ! -o eth0.0
+run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
+run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
+run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
+run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
+run iptables -t nat -A POSTROUTING -j outbound
+
+## Set up NAT protocol helpers. In particular, SIP needs some special
+## twiddling.
+run modprobe nf_conntrack_sip \
+ ports=5060 \
+ sip_direct_signalling=0 \
+ sip_direct_media=0
+for p in ftp sip h323; do
+ run modprobe nf_nat_$p
+done
+
+## Forbid anything complicated to the NAT address.
+run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT
+
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
~mdw / firewall / commitdiff