From: Mark Wooding Date: Sat, 17 Mar 2012 16:04:22 +0000 (+0000) Subject: Merge branch 'master' into emergency X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/d8e37f37a3d09961f5bb0ab438e5ed2becba736d?hp=c68b8ecca140f3382431eb3d65ffe6a6ac3ba121 Merge branch 'master' into emergency * master: local.m4: Declare network for anycast services. local.m4: Reorder forwarding networks for `default'. local.m4: Move `vpn' to the common networks section. --- diff --git a/bookends.m4 b/bookends.m4 index a0731d2..a10608d 100644 --- a/bookends.m4 +++ b/bookends.m4 @@ -106,11 +106,17 @@ m4_divert(32)m4_dnl ## Set forwarding options. Apparently setting ip_forward clobbers other ## settings, so put this first. case $host_type_<::>FWHOST in - router) forward=1 ;; - *) forward=0 ;; + router) forward=1 host=0 ;; + server) forward=0 host=0 ;; + client) forward=0 host=1 ;; esac setopt ip_forward $forward setdevopt forwarding $forward +for i in \ + accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen +do + setdevopt $i $host +done case $forward in 0) inchains="INPUT" ;; 1) inchains="INPUT FORWARD" ;; diff --git a/functions.m4 b/functions.m4 index 0ebba30..89715a4 100644 --- a/functions.m4 +++ b/functions.m4 @@ -183,7 +183,7 @@ setdevopt () { for ver in ipv4 ipv6; do if [ -f /proc/sys/net/$ver/conf/$i/$opt ]; then any=t - run sysctl -q net/ipv4/conf/$i/$opt="$val" + run sysctl -q net/$ver/conf/$i/$opt="$val" fi done case $any in @@ -513,14 +513,19 @@ host () { defhost () { host=$1 addword allhosts $host - eval host_type_$host=endsys + eval host_type_$host=server } -## router +## hosttype TYPE ## -## Declare the host to be a router, so it should forward packets and so on. -router () { - eval host_type_$host=router +## Declare the host to have the given type. +hosttype () { + type=$1 + case $type in + router | server | client) ;; + *) echo >&2 "$0: bad host type \`$type'"; exit 1 ;; + esac + eval host_type_$host=$type } ## iface IFACE NET ... diff --git a/local.m4 b/local.m4 index 3e33b3b..3a52c1b 100644 --- a/local.m4 +++ b/local.m4 @@ -71,7 +71,7 @@ defnet housebdry virtual ## House hosts. defhost radius - router + hosttype router iface eth0 dmz unsafe safe iface eth1 dmz unsafe safe iface eth2 safe @@ -86,19 +86,21 @@ defhost artist iface eth0 dmz unsafe iface eth1 dmz unsafe defhost vampire - router - iface eth0.0 dmz unsafe safe - iface eth0.1 dmz unsafe safe + hosttype router + iface eth0.0 dmz unsafe safe default + iface eth0.1 dmz unsafe safe default iface eth0.2 safe - iface eth0.3 untrusted + iface eth0.3 untrusted default iface dns0 dns iface vpn-+ vpn iface vpn-precision colobdry vpn + iface t6-he default defhost ibanez iface br-dmz dmz unsafe iface br-unsafe unsafe defhost gibson + hosttype client iface eth0 unsafe ## Colocated networks. @@ -119,7 +121,7 @@ defhost fender iface br-jump jump colo iface br-colo jump colo defhost precision - router + hosttype router iface eth0 jump colo iface eth1 jump colo iface vpn-+ vpn diff --git a/numbers.m4 b/numbers.m4 index d5ab0c1..c94ae5f 100644 --- a/numbers.m4 +++ b/numbers.m4 @@ -49,6 +49,7 @@ defport rsync 873 defport imaps 993 defport h323 1720 defport squid 3128 +defport rdesktop 3389 defport tripe 4070 defport siplo 5000 defport siphi 5100 diff --git a/vampire.m4 b/vampire.m4 index b3257c7..d283145 100644 --- a/vampire.m4 +++ b/vampire.m4 @@ -70,5 +70,38 @@ run iptables -A OUTPUT -m multiport \ dnsresolver inbound ntpclient inbound $ntp_servers +## IPv6 6-in-4 tunnel. +run iptables -A inbound -j ACCEPT \ + -p $proto_ipv6 -s 216.66.80.26 + +## NAT for RFC1918 addresses. +for i in PREROUTING OUTPUT POSTROUTING; do + run iptables -t nat -P $i ACCEPT 2>/dev/null || : + run iptables -t nat -F $i 2>/dev/null || : +done +run iptables -t nat -F +run iptables -t nat -X + +run iptables -t nat -N outbound +run iptables -t nat -A outbound -j RETURN ! -o eth0.0 +run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 +run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28 +run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 +run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 +run iptables -t nat -A POSTROUTING -j outbound + +## Set up NAT protocol helpers. In particular, SIP needs some special +## twiddling. +run modprobe nf_conntrack_sip \ + ports=5060 \ + sip_direct_signalling=0 \ + sip_direct_media=0 +for p in ftp sip h323; do + run modprobe nf_nat_$p +done + +## Forbid anything complicated to the NAT address. +run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT + m4_divert(-1) ###----- That's all, folks --------------------------------------------------