chiark
/
gitweb
/
~mdw
/
firewall
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
cbbd5e3
)
radius.m4: Handy ipset hook for ad-hoc safe/unstrusted exceptions.
author
Mark Wooding
<mdw@distorted.org.uk>
Fri, 8 Jun 2012 00:28:45 +0000
(
01:28
+0100)
committer
Mark Wooding
<mdw@distorted.org.uk>
Fri, 8 Jun 2012 00:28:45 +0000
(
01:28
+0100)
radius.m4
patch
|
blob
|
blame
|
history
diff --git
a/radius.m4
b/radius.m4
index 4bf4ceab0803edbfc9dbf0339723e2263fd8c18a..ecf64b797cbe0b4ffbfb0a8fb25e426ae30dfe5b 100644
(file)
--- a/
radius.m4
+++ b/
radius.m4
@@
-53,6
+53,18
@@
dnsresolver inbound
run iptables -A inbound -j ACCEPT \
-p $proto_ipv6 -s 216.66.80.26
run iptables -A inbound -j ACCEPT \
-p $proto_ipv6 -s 216.66.80.26
+## Permitted special forwarding.
+makeset fwd-allow-http nethash || :
+iptables -A fwd-spec-nofrag -j ACCEPT \
+ -m set --match-set fwd-allow-http dst \
+ -p tcp --destination-port $port_http \
+ -m mark --mark $to_untrusted/$MASK_TO
+iptables -A fwd-spec-nofrag -j ACCEPT \
+ -m set --match-set fwd-allow-http src \
+ -p tcp --destination-port $port_http \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+
## NAT for RFC1918 addresses.
for i in PREROUTING OUTPUT POSTROUTING; do
run iptables -t nat -P $i ACCEPT 2>/dev/null || :
## NAT for RFC1918 addresses.
for i in PREROUTING OUTPUT POSTROUTING; do
run iptables -t nat -P $i ACCEPT 2>/dev/null || :
~mdw / firewall / commitdiff