# Deny reserved or internal networks on public interfaces # where no traffic from them should ever be seen (and may # indicate an attack). function deny_martians_on () { local IF=$1 # antispoof deny host 0.0.0.0 on $IF # lan area -- set up deny rules for your internal nets # deny ip xxx.xxx.xxx.0 0.0.0.255 # reserved deny net 10.0.0.0/8 on $IF # reserved deny net 127.0.0.0/8 on $IF # link-local network. deny net 169.254.0.0/16 on $IF # reserved deny net 172.16.0.0/12 on $IF # reserved deny net 192.168.0.0/16 on $IF # test network deny net 192.0.2.0/24 on $IF # multicast deny net 224.0.0.0/3 on $IF # unless MBGP-learned routes deny net 224.0.0.0/4 on $IF } # Function copied (basically) from Red Hat's network init scripts # to ensure that name service works on an interface. allow_ns_from () { ns=`awk '/^nameserver / { print $2 }' /etc/resolv.conf` if [ -n "$ns" ]; then for nameserver in $ns ; do allow replies from $nameserver on eth2 done fi } # Forward only specific hosts/networks specific forwarding # Typical trusted network: # Masquerade trusted network to the public # Deny nothing masquerade net 192.168.1.0/24 on eth0 through eth2 #throttle tcp port 80 on eth0 through eth2 rate 5mbit burst 15k # Typical semi-trusted network: # Allow only the connected IP networks access to public resources # Masquerade only the connected IP networks to the public # Deny everything else allow net 192.168.2.0/24 on eth1 to 192.168.1.5 tcp port 22 allow net 192.168.2.0/24 on eth1 to 192.168.1.5 tcp port 25 allow net 192.168.2.0/24 on eth1 to 192.168.1.5 tcp port 443 allow net 192.168.2.0/24 on eth1 to 192.168.1.5 tcp port 143 allow net 192.168.2.0/24 on eth1 to 192.168.1.5 tcp port 993 allow net 192.168.2.0/24 on eth1 to 192.168.2.254 udp port 137 allow net 192.168.2.0/24 on eth1 to 192.168.2.255 udp port 137 allow net 192.168.2.0/24 on eth1 to 192.168.2.254 udp port 138 allow net 192.168.2.0/24 on eth1 to 192.168.2.254 tcp port 139 allow net 192.168.2.0/24 on eth1 to 192.168.2.254 udp port 53 allow all on eth1 tcp port 67 allow all on eth1 udp port 67 masquerade net 192.168.2.0/24 on eth1 through eth2 allow replies on eth1 deny all on eth1 # Typical public interface: # Deny IPv4 reserved nets # Allow specific access to public resources # Deny everything else deny_martians_on eth2 allow all on eth2 tcp port 22 allow all on eth2 tcp port 443 allow replies on eth2 deny all on eth2