## Externally visible services.
allowservices inbound tcp \
ident \
- dns iodine \
ssh
allowservices inbound udp \
- dns iodine \
tripe
-## Provide DNS resolution to local untrusted hosts.
-for p in tcp udp; do
- run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p $p --destination-port $port_dns
-done
-
## Provide syslog for evolution.
run iptables -A inbound -j ACCEPT \
-s 172.29.198.2 \
## Other interesting things.
dnsresolver inbound
+dnsserver inbound
## IPv6 6-in-4 tunnel.
run iptables -A inbound -j ACCEPT \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
+## BCP38 filtering. Note that addresses here are seen before NAT is applied.
+bcp38 4 ppp0 62.49.204.144/28 172.29.198.0/23
+bcp38 6 t6-he \
+ 2001:470:1f08:1b98::2 2001:470:1f09:1b98::/64 \
+ 2001:470:9740::/48
+
## NAT for RFC1918 addresses.
for i in PREROUTING OUTPUT POSTROUTING; do
run iptables -t nat -P $i ACCEPT 2>/dev/null || :
run iptables -t nat -X
run iptables -t nat -N outbound
-run iptables -t nat -A outbound -j RETURN ! -o eth0
+run iptables -t nat -A outbound -j RETURN ! -o ppp0
run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
+
+## An awful hack.
+##run iptables -t nat -A outbound -j DNETMAP --reuse \
+## -s 172.29.199.44 --prefix 62.49.204.157
+##run iptables -t nat -A outbound -j DNETMAP --reuse \
+## -s 172.29.198.34 --prefix 62.49.204.157
+##run iptables -t nat -A outbound -j DNETMAP --reuse \
+## -s 172.29.198.11 --prefix 62.49.204.157
+##run iptables -t nat -A PREROUTING -j DNETMAP
+
run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
run iptables -t nat -A POSTROUTING -j outbound
run modprobe nf_nat_$p
done
-## Forbid anything complicated to the NAT address.
+## Forbid anything complicated to the NAT address. Be sure to allow ident,
+## though.
+run iptables -A INPUT -d 62.49.204.158 -p tcp -j ACCEPT \
+ -m multiport --destination-ports=113
run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT
m4_divert(-1)