From: Mark Wooding Date: Sat, 24 Mar 2012 17:07:36 +0000 (+0000) Subject: Merge remote-tracking branch 'origin' into emergency X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/b4d07df30bdd2132a03de9a22512560d585d918a?hp=ebaa31a7bdb640c1bd797fef04d1e833a34c07d7 Merge remote-tracking branch 'origin' into emergency * origin: local.m4: A new network for the SGO VPN. functions.m4, classify.m4: Handle negative address ranges. Make FW_NOACT work properly. Conflicts: local.m4 --- diff --git a/bookends.m4 b/bookends.m4 index f451c8d..9757a38 100644 --- a/bookends.m4 +++ b/bookends.m4 @@ -108,11 +108,17 @@ m4_divert(32)m4_dnl ## Set forwarding options. Apparently setting ip_forward clobbers other ## settings, so put this first. case $host_type_<::>FWHOST in - router) forward=1 ;; - *) forward=0 ;; + router) forward=1 host=0 ;; + server) forward=0 host=0 ;; + client) forward=0 host=1 ;; esac setopt ip_forward $forward setdevopt forwarding $forward +for i in \ + accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen +do + setdevopt $i $host +done case $forward in 0) inchains="INPUT" ;; 1) inchains="INPUT FORWARD" ;; diff --git a/functions.m4 b/functions.m4 index 16c07c8..c3609a5 100644 --- a/functions.m4 +++ b/functions.m4 @@ -183,7 +183,7 @@ setdevopt () { for ver in ipv4 ipv6; do if [ -f /proc/sys/net/$ver/conf/$i/$opt ]; then any=t - run sysctl -q net/ipv4/conf/$i/$opt="$val" + run sysctl -q net/$ver/conf/$i/$opt="$val" fi done case $any in @@ -513,14 +513,19 @@ host () { defhost () { host=$1 addword allhosts $host - eval host_type_$host=endsys + eval host_type_$host=server } -## router +## hosttype TYPE ## -## Declare the host to be a router, so it should forward packets and so on. -router () { - eval host_type_$host=router +## Declare the host to have the given type. +hosttype () { + type=$1 + case $type in + router | server | client) ;; + *) echo >&2 "$0: bad host type \`$type'"; exit 1 ;; + esac + eval host_type_$host=$type } ## iface IFACE NET ... diff --git a/local.m4 b/local.m4 index 357043b..ba09c39 100644 --- a/local.m4 +++ b/local.m4 @@ -71,7 +71,7 @@ defnet housebdry virtual ## House hosts. defhost radius - router + hosttype router iface eth0 dmz unsafe safe iface eth1 dmz unsafe safe iface eth2 safe @@ -86,11 +86,11 @@ defhost artist iface eth0 dmz unsafe iface eth1 dmz unsafe defhost vampire - router - iface eth0.0 dmz unsafe safe - iface eth0.1 dmz unsafe safe + hosttype router + iface eth0.0 dmz unsafe safe default + iface eth0.1 dmz unsafe safe default iface eth0.2 safe - iface eth0.3 untrusted + iface eth0.3 untrusted default iface dns0 iodine iface vpn-precision colobdry vpn iface vpn-chiark sgo @@ -100,6 +100,7 @@ defhost ibanez iface br-unsafe unsafe defhost gibson + hosttype client iface eth0 unsafe ## Colocated networks. @@ -120,7 +121,7 @@ defhost fender iface br-jump jump colo iface br-colo jump colo defhost precision - router + hosttype router iface eth0 jump colo iface eth1 jump colo iface vpn-vampire housebdry vpn diff --git a/numbers.m4 b/numbers.m4 index d5ab0c1..c94ae5f 100644 --- a/numbers.m4 +++ b/numbers.m4 @@ -49,6 +49,7 @@ defport rsync 873 defport imaps 993 defport h323 1720 defport squid 3128 +defport rdesktop 3389 defport tripe 4070 defport siplo 5000 defport siphi 5100 diff --git a/vampire.m4 b/vampire.m4 index b3257c7..d283145 100644 --- a/vampire.m4 +++ b/vampire.m4 @@ -70,5 +70,38 @@ run iptables -A OUTPUT -m multiport \ dnsresolver inbound ntpclient inbound $ntp_servers +## IPv6 6-in-4 tunnel. +run iptables -A inbound -j ACCEPT \ + -p $proto_ipv6 -s 216.66.80.26 + +## NAT for RFC1918 addresses. +for i in PREROUTING OUTPUT POSTROUTING; do + run iptables -t nat -P $i ACCEPT 2>/dev/null || : + run iptables -t nat -F $i 2>/dev/null || : +done +run iptables -t nat -F +run iptables -t nat -X + +run iptables -t nat -N outbound +run iptables -t nat -A outbound -j RETURN ! -o eth0.0 +run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 +run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28 +run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 +run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 +run iptables -t nat -A POSTROUTING -j outbound + +## Set up NAT protocol helpers. In particular, SIP needs some special +## twiddling. +run modprobe nf_conntrack_sip \ + ports=5060 \ + sip_direct_signalling=0 \ + sip_direct_media=0 +for p in ftp sip h323; do + run modprobe nf_nat_$p +done + +## Forbid anything complicated to the NAT address. +run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT + m4_divert(-1) ###----- That's all, folks --------------------------------------------------