From a3972fea9c58e172fb2a1c1dc7362ec6a40fa4bd Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Tue, 31 May 2011 22:24:42 +0100 Subject: [PATCH] Host changeover. Remove metalzone, which is defunct; add all of the new machines. --- artist.m4 | 67 +++++++++++++++++++++++++++++++++++++++++++ gibson.m4 | 52 ++++++++++++++++++++++++++++++++++ ibanez.m4 | 52 ++++++++++++++++++++++++++++++++++ jem.m4 | 72 +++++++++++++++++++++++++++++++++++++++++++++++ local.mk | 9 +++++- metalzone.m4 => radius.m4 | 30 +++++++++----------- roadstar.m4 | 66 +++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 331 insertions(+), 17 deletions(-) create mode 100644 artist.m4 create mode 100644 gibson.m4 create mode 100644 ibanez.m4 create mode 100644 jem.m4 rename metalzone.m4 => radius.m4 (85%) create mode 100644 roadstar.m4 diff --git a/artist.m4 b/artist.m4 new file mode 100644 index 0000000..19394ee --- /dev/null +++ b/artist.m4 @@ -0,0 +1,67 @@ +### -*-sh-*- +### +### Firewall configuration for artist +### +### (c) 2008 Mark Wooding +### + +###----- Licensing notice --------------------------------------------------- +### +### This program is free software; you can redistribute it and/or modify +### it under the terms of the GNU General Public License as published by +### the Free Software Foundation; either version 2 of the License, or +### (at your option) any later version. +### +### This program is distributed in the hope that it will be useful, +### but WITHOUT ANY WARRANTY; without even the implied warranty of +### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +### GNU General Public License for more details. +### +### You should have received a copy of the GNU General Public License +### along with this program; if not, write to the Free Software Foundation, +### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +###-------------------------------------------------------------------------- +### Config settings. + +## This host isn't a router. +setconf(forward, 0) + +###-------------------------------------------------------------------------- +### Network interfaces. + +m4_divert(44)m4_dnl +## Interface definitions. +if_untrusted=eth0 +if_trusted=eth0 +if_vpn=eth0 +if_iodine=eth0 +if_its_mz=eth0 +if_its_pi=eth0 + +m4_divert(-1) +###-------------------------------------------------------------------------- +### artist-specific rules. + +m4_divert(82)m4_dnl +## Externally visible services. +allowservices inbound tcp \ + ssh \ + ftp ftp_data \ + http https \ + tor_public tor_directory i2p +allowservices inbound udp \ + i2p + +## Allow smb and nmb to untrusted hosts. +run iptables -A inbound -j ACCEPT \ + -s 172.29.198.0/24 \ + -p udp -m multiport --destination-ports \ + $port_netbios_ns,$port_netbios_dgm +run iptables -A inbound -j ACCEPT \ + -s 172.29.198.0/24 \ + -p tcp -m multiport --destination-ports \ + $port_netbios_ssn,$port_microsoft_ds + +m4_divert(-1) +###----- That's all, folks -------------------------------------------------- diff --git a/gibson.m4 b/gibson.m4 new file mode 100644 index 0000000..c49c36a --- /dev/null +++ b/gibson.m4 @@ -0,0 +1,52 @@ +### -*-sh-*- +### +### Firewall configuration for gibson +### +### (c) 2008 Mark Wooding +### + +###----- Licensing notice --------------------------------------------------- +### +### This program is free software; you can redistribute it and/or modify +### it under the terms of the GNU General Public License as published by +### the Free Software Foundation; either version 2 of the License, or +### (at your option) any later version. +### +### This program is distributed in the hope that it will be useful, +### but WITHOUT ANY WARRANTY; without even the implied warranty of +### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +### GNU General Public License for more details. +### +### You should have received a copy of the GNU General Public License +### along with this program; if not, write to the Free Software Foundation, +### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +###-------------------------------------------------------------------------- +### Config settings. + +## This host isn't a router. +setconf(forward, 0) + +###-------------------------------------------------------------------------- +### Network interfaces. + +m4_divert(44)m4_dnl +## Interface definitions. +if_untrusted=eth0 +if_trusted=eth0 +if_vpn=eth0 +if_iodine=eth0 +if_its_mz=eth0 +if_its_pi=eth0 + +m4_divert(-1) +###-------------------------------------------------------------------------- +### gibson-specific rules. + +m4_divert(82)m4_dnl +## Externally visible services. +allowservices inbound tcp \ + ssh + +m4_divert(-1) +###----- That's all, folks -------------------------------------------------- diff --git a/ibanez.m4 b/ibanez.m4 new file mode 100644 index 0000000..5fc1ecd --- /dev/null +++ b/ibanez.m4 @@ -0,0 +1,52 @@ +### -*-sh-*- +### +### Firewall configuration for ibanez +### +### (c) 2008 Mark Wooding +### + +###----- Licensing notice --------------------------------------------------- +### +### This program is free software; you can redistribute it and/or modify +### it under the terms of the GNU General Public License as published by +### the Free Software Foundation; either version 2 of the License, or +### (at your option) any later version. +### +### This program is distributed in the hope that it will be useful, +### but WITHOUT ANY WARRANTY; without even the implied warranty of +### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +### GNU General Public License for more details. +### +### You should have received a copy of the GNU General Public License +### along with this program; if not, write to the Free Software Foundation, +### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +###-------------------------------------------------------------------------- +### Config settings. + +## This host isn't a router. +setconf(forward, 0) + +###-------------------------------------------------------------------------- +### Network interfaces. + +m4_divert(44)m4_dnl +## Interface definitions. +if_untrusted=br0 +if_trusted=br0 +if_vpn=br0 +if_iodine=br0 +if_its_mz=br0 +if_its_pi=br0 + +m4_divert(-1) +###-------------------------------------------------------------------------- +### ibanez-specific rules. + +m4_divert(82)m4_dnl +## Externally visible services. +allowservices inbound tcp \ + ssh + +m4_divert(-1) +###----- That's all, folks -------------------------------------------------- diff --git a/jem.m4 b/jem.m4 new file mode 100644 index 0000000..f9922c9 --- /dev/null +++ b/jem.m4 @@ -0,0 +1,72 @@ +### -*-sh-*- +### +### Firewall configuration for jem +### +### (c) 2008 Mark Wooding +### + +###----- Licensing notice --------------------------------------------------- +### +### This program is free software; you can redistribute it and/or modify +### it under the terms of the GNU General Public License as published by +### the Free Software Foundation; either version 2 of the License, or +### (at your option) any later version. +### +### This program is distributed in the hope that it will be useful, +### but WITHOUT ANY WARRANTY; without even the implied warranty of +### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +### GNU General Public License for more details. +### +### You should have received a copy of the GNU General Public License +### along with this program; if not, write to the Free Software Foundation, +### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +###-------------------------------------------------------------------------- +### Config settings. + +## This host isn't a router. +setconf(forward, 0) + +###-------------------------------------------------------------------------- +### Network interfaces. + +m4_divert(44)m4_dnl +## Interface definitions. +if_untrusted=eth0 +if_trusted=eth0 +if_vpn=eth0 +if_iodine=eth0 +if_its_mz=eth0 +if_its_pi=eth0 + +m4_divert(-1) +###-------------------------------------------------------------------------- +### jem-specific rules. + +m4_divert(82)m4_dnl +## Externally visible services. +allowservices inbound tcp \ + ssh \ + smtp submission \ + http https \ + imaps + +## Provide DNS resolution to local untrusted hosts. +for p in tcp udp; do + run iptables -A inbound -j ACCEPT \ + -s 172.29.198.0/24 \ + -p $p --destination-port $port_dns +done + +## Allow smb and nmb to untrusted hosts. This is a bit experimental. +run iptables -A inbound -j ACCEPT \ + -s 172.29.198.0/24 \ + -p udp -m multiport --destination-ports \ + $port_netbios_ns,$port_netbios_dgm +run iptables -A inbound -j ACCEPT \ + -s 172.29.198.0/24 \ + -p tcp -m multiport --destination-ports \ + $port_netbios_ssn,$port_microsoft_ds + +m4_divert(-1) +###----- That's all, folks -------------------------------------------------- diff --git a/local.mk b/local.mk index 9a5ade5..d272914 100644 --- a/local.mk +++ b/local.mk @@ -4,5 +4,12 @@ MAIN_M4_SOURCES += local.m4 ## The avaiable hosts. -HOSTS += metalzone HOSTS += vampire + +HOSTS += ibanez +HOSTS += radius +HOSTS += roadstar +HOSTS += jem +HOSTS += artist + +HOSTS += gibson diff --git a/metalzone.m4 b/radius.m4 similarity index 85% rename from metalzone.m4 rename to radius.m4 index 90c37dd..b97f481 100644 --- a/metalzone.m4 +++ b/radius.m4 @@ -1,6 +1,6 @@ ### -*-sh-*- ### -### Firewall configuration for metalzone +### Firewall configuration for radius ### ### (c) 2008 Mark Wooding ### @@ -26,32 +26,25 @@ m4_divert(44)m4_dnl ## Interface definitions. -if_untrusted=eth0 +if_untrusted=eth1 if_trusted=eth0 if_vpn=eth0 if_iodine=eth0 -if_its_mz=its-mz -if_its_pi=its-pi +if_its_mz=eth0 +if_its_pi=eth0 m4_divert(-1) ###-------------------------------------------------------------------------- -### metalzone-specific rules. +### radius-specific rules. m4_divert(82)m4_dnl ## Externally visible services. allowservices inbound tcp \ - finger ident \ - ssh \ - smtp submission \ - gnutella_svc \ - ftp ftp_data \ - rsync \ - imaps \ - http https \ - git + dns iodine \ + ssh allowservices inbound udp \ - tripe \ - gnutella_svc + dns iodine \ + tripe ## Provide DNS resolution to local untrusted hosts. for p in tcp udp; do @@ -60,6 +53,11 @@ for p in tcp udp; do -p $p --destination-port $port_dns done +## Provide syslog for evolution. +run iptables -A inbound -j ACCEPT \ + -s 172.29.198.2 \ + -p udp --destination-port $port_syslog + ## Other interesting things. dnsresolver inbound ntpclient inbound 158.152.1.76 158.152.1.204 194.159.253.2 diff --git a/roadstar.m4 b/roadstar.m4 new file mode 100644 index 0000000..dd810c2 --- /dev/null +++ b/roadstar.m4 @@ -0,0 +1,66 @@ +### -*-sh-*- +### +### Firewall configuration for roadstar +### +### (c) 2008 Mark Wooding +### + +###----- Licensing notice --------------------------------------------------- +### +### This program is free software; you can redistribute it and/or modify +### it under the terms of the GNU General Public License as published by +### the Free Software Foundation; either version 2 of the License, or +### (at your option) any later version. +### +### This program is distributed in the hope that it will be useful, +### but WITHOUT ANY WARRANTY; without even the implied warranty of +### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +### GNU General Public License for more details. +### +### You should have received a copy of the GNU General Public License +### along with this program; if not, write to the Free Software Foundation, +### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +###-------------------------------------------------------------------------- +### Config settings. + +## This host isn't a router. +setconf(forward, 0) + +###-------------------------------------------------------------------------- +### Network interfaces. + +m4_divert(44)m4_dnl +## Interface definitions. +if_untrusted=eth0 +if_trusted=eth0 +if_vpn=eth0 +if_iodine=eth0 +if_its_mz=eth0 +if_its_pi=eth0 + +m4_divert(-1) +###-------------------------------------------------------------------------- +### roadstar-specific rules. + +m4_divert(82)m4_dnl +## Externally visible services. +allowservices inbound tcp \ + ssh \ + ftp ftp_data \ + rsync \ + http https squid \ + git + +## Provide DNS resolution to local untrusted hosts. +for p in tcp udp; do + run iptables -A inbound -j ACCEPT \ + -s 172.29.198.0/24 \ + -p $p --destination-port $port_dns +done + +## Other interesting things. +dnsresolver inbound + +m4_divert(-1) +###----- That's all, folks -------------------------------------------------- -- 2.11.0