safe:172.29.199.64/27 \
untrusted:default
defiface $if_untrusted \
- untrusted:172.29.198.0/24
+ untrusted:172.29.198.0/25
defvpn $if_vpn safe 172.29.199.128/27 \
crybaby:172.29.199.129
+defiface $if_iodine untrusted:172.29.198.128/28
defiface $if_its_mz safe:172.29.199.160/30
defiface $if_its_pi safe:192.168.0.0/24
## Allow ping from safe/noloop to untrusted networks.
run iptables -A FORWARD -j ACCEPT \
- -p icmp --icmp-type echo-request \
+ -p icmp ! -f --icmp-type echo-request \
-m mark --mark $to_untrusted/$MASK_TO
run iptables -A FORWARD -j ACCEPT \
- -p icmp --icmp-type echo-reply \
+ -p icmp ! -f --icmp-type echo-reply \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
## Allow SSH from safe/noloop to untrusted networks.
run iptables -A FORWARD -j ACCEPT \
- -p tcp --destination-port $port_ssh \
+ -p tcp ! -f --destination-port $port_ssh \
-m mark --mark $to_untrusted/$MASK_TO
run iptables -A FORWARD -j ACCEPT \
- -p tcp --source-port $port_ssh \
+ -p tcp ! -f --source-port $port_ssh \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
clearchain inbound
## Track connections.
+ commonrules inbound
conntrack inbound
## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
if_untrusted=eth0.1
if_trusted=eth0.0
if_vpn=vpn-+
+if_iodine=dns+
if_its_mz=eth0.0
if_its_pi=eth0.0
###--------------------------------------------------------------------------
### vampire-specific rules.
- m4_divert(35)m4_dnl
- errorchain ddos-evil-dns DROP
- ## Invalid DNS request with probably-forged sender address, with intent to
- ## cause DDOS.
-
m4_divert(82)m4_dnl
- ## Repelling evil DDos attack.
- run ipset -N ddos-evil-dns iphash 2>/dev/null || :
- run iptables -A inbound -g ddos-evil-dns \
- -m set --set ddos-evil-dns src \
- -p udp --destination-port $port_dns
-
## Externally visible services.
allowservices inbound tcp \
finger ident \
- dns \
+ dns iodine \
ssh \
smtp \
gnutella_svc \
ftp ftp_data \
rsync \
+ disorder \
http https \
git
allowservices inbound tcp \
tor_public tor_directory
allowservices inbound udp \
- dns \
+ dns iodine \
tripe \
gnutella_svc