run iptables -A $chain -p tcp ! --syn -g bad-tcp
}
+## commonrules CHAIN
+##
+## Add standard IP filtering rules to the CHAIN.
+commonrules () {
+ set -e
+ chain=$1
+
+ ## Pass fragments through, assuming that the eventual destination will sort
+ ## things out properly. Except for TCP, that is, which should never be
+ ## fragmented.
+ run iptables -A $chain -p tcp -f -g tcp-fragment
+ run iptables -A $chain -f -j ACCEPT
+}
+
## allowservices CHAIN PROTO SERVICE ...
##
## Add rules to allow the SERVICES on the CHAIN.
## Allow ping from safe/noloop to untrusted networks.
run iptables -A FORWARD -j ACCEPT \
- -p icmp --icmp-type echo-request \
+ -p icmp ! -f --icmp-type echo-request \
-m mark --mark $to_untrusted/$MASK_TO
run iptables -A FORWARD -j ACCEPT \
- -p icmp --icmp-type echo-reply \
+ -p icmp ! -f --icmp-type echo-reply \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
## Allow SSH from safe/noloop to untrusted networks.
run iptables -A FORWARD -j ACCEPT \
- -p tcp --destination-port $port_ssh \
+ -p tcp ! -f --destination-port $port_ssh \
-m mark --mark $to_untrusted/$MASK_TO
run iptables -A FORWARD -j ACCEPT \
- -p tcp --source-port $port_ssh \
+ -p tcp ! -f --source-port $port_ssh \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
clearchain inbound
## Track connections.
+commonrules inbound
conntrack inbound
## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a