i2p
## Allow smb and nmb to untrusted hosts.
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
+run ip46tables -A inbound-untrusted -j ACCEPT \
-p udp -m multiport --destination-ports \
- $port_netbios_ns,$port_netbios_dgm
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p tcp -m multiport --destination-ports \
- $port_netbios_ssn,$port_microsoft_ds
+ $port_netbios_ns,$port_netbios_dgm
## Open ports for Rygel.
run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 -p igmp
ntpclient inbound $ntp_servers
## Provide NTP service to untrusted clients.
-run iptables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 172.29.198.0/23
-run ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:ba8:1d9::/48
-run ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:8b0:c92::/48
+run ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+ --source-port 123 --destination-port 123
## Guaranteed black hole. Put this at the very front of the chain.
run iptables -I INPUT -d 212.13.198.78 -j DROP
ntpclient inbound $ntp_servers
## Provide NTP service to untrusted clients.
-run iptables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 172.29.198.0/23
-run ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:ba8:1d9::/48
-run ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:8b0:c92::/48
+run ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+ --source-port 123 --destination-port 123
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
## Provide DNS resolution to local untrusted hosts.
for p in tcp udp; do
- run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
+ run ip46tables -A inbound -j ACCEPT \
-p $p --destination-port $port_dns
done
### Locally-bound packet inspection.
clearchain inbound
+clearchain inbound-untrusted
## Track connections.
commonrules inbound
openports inbound
## Inspect inbound packets from untrusted sources.
+run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
+run ip6tables -A inbound -s 2001:ba8:1d9:8000::/49 -g inbound-untrusted
+run ip46tables -A inbound-untrusted -g forbidden
run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
+run iptables -A inbound -s 172.29.198.0/24 -j inbound-untrusted
## Allow responses from the scary outside world into the untrusted net, but
## don't let untrusted things run services.
## Provide DNS resolution to local untrusted hosts.
for p in tcp udp; do
- run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
+ run ip46tables -A inbound-untrusted -j ACCEPT \
-p $p --destination-port $port_dns
done
gnutella_svc \
i2p
-## Extend some services to local untrusted hosts.
-clearchain inbound-untrusted
-run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted
-run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted
-
allowservices inbound-untrusted tcp \
dns \
lpd \
ntpclient inbound $ntp_servers
## Provide NTP service to untrusted clients.
-run iptables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 172.29.198.0/23
-run ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:ba8:1d9::/48
-run ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:8b0:c92::/48
+ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+ --source-port 123 --destination-port 123
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
~mdw / firewall / commitdiff