policy: + stateful: true fs: bakz: v4: /var/lib/iptables/rules.backup.%s v6: /var/lib/ip6tables/rules.backup.%s at: /usr/bin/at diff: /usr/bin/colordiff -u keep: 10 delay: 5 bin: v4_pull: /sbin/iptables-save v4_push: /sbin/iptables-restore v6_pull: /sbin/ip6tables-save v6_push: /sbin/ip6tables-restore tablez: raw: prerouting: #-p udp --dport 6881 -j NOTRACK output: #-p udp --sport 6881 -j NOTRACK mangle: prerouting: input: forward: output: postrouting: nat: # IPv4-only NAT table prerouting: postrouting: output: svc: ssh_forwarding: prerouting: -p tcp --dport 8113 -j DNAT --to-destination 192.168.0.13:22 azureus: # to coercion prerouting: - -p tcp/udp --dport 28637 -j DNAT --to-destination 192.168.0.13 - -p udp --dport 28638 -j DNAT --to-destination 192.168.0.13 gateway: postrouting: -s 192.168.0.13 -j MASQUERADE filter: input: - --state RELATED,ESTABLISHED - -v4 -p icmp - -v6 -p icmpv6 forward: # ICMP - -v4 -p icmp - -v6 -p icmpv6 # SSH - -p tcp --dport ssh # New connz - -i lan -j core_in - -i vde -j minions_in # Known nets' reverse traffic - -d 192.168.0.0/28 --state RELATED,ESTABLISHED - -d 2001:470:1f0b:11de::/120 --state RELATED,ESTABLISHED # Azureus to coercion - -p tcp/udp -d 192.168.0.13 --dport 28637 - -p udp -d 192.168.0.13 --dport 28638 # Self-redirect for internal nets - -p tcp -d 2001:470:1f0a:11de::2 #~ - -p tcp -d 2001:470:1f0b:11de::21 --dport 25,110,143,993,995 # Cut the rest - output: minions_in: - -s 2001:470:1f0b:11de::20/124 - < minions_out: - -d 2001:470:1f0b:11de::20/124 - < core_in: - -s 192.168.0.10 # damnation.v4c - -s 192.168.0.11 # wlan.v4c - -s 192.168.0.12 # coercion.eth - -s 192.168.0.13 # coercion.v4c - -s 2001:470:1f0b:11de::10/124 # *.core - -s 2001:470:1f0b:11de::1 # self gw - < core_out: - -d 192.168.0.10 # damnation.v4c - -d 192.168.0.11 # wlan.v4c - -d 192.168.0.12 # coercion.eth - -d 192.168.0.13 # coercion.v4c - -d 2001:470:1f0b:11de::10/124 # *.core - -d 2001:470:1f0b:11de::1 # self gw - < svc: loopback: input-lo: + output-lo: + core: input-lan: -j core_in output-lan: -j core_out minions: input-vde: -j minions_in # HOLE! Fill in portz! output-vde: -j minions_out # HOLE! Fill in portz! 6to4_forwarding: -v6 -i tot telenet_gateway: input-lan: - -s 90.157.91.1 --mac-source 00:16:E6:41:AD:86 --state RELATED,ESTABLISHED - -s 10.0.49.1 --mac-source 00:1C:C0:4B:02:BD --state RELATED,ESTABLISHED output-lan: - -d 90.157.91.1 - -d 10.0.49.1 telenet_segnet_drop: # dangerous high-bandwidth connections via local telenet router input-ppp2: - -s 90.157.91.0/24 - - -s 90.157.40.128/25 - output-ppp2: - -d 90.157.91.0/24 - - -d 90.157.40.128/25 - ssh: -p tcp --dport ssh co-located_connz_drop: input-lan: - -s 192.168.0.0/16 - - -s 10.0.49.0/25 - - -s 2001:470:1f0b:11de::/64 - output-lan: - -d 192.168.0.0/16 - - -d 10.0.49.0/25 - - -d 2001:470:1f0b:11de::/64 - named: -p tcp/udp --dport domain ntp: -p udp --dport ntp mail: -p tcp --dport smtp,pop3,imap,pop3s,imaps squid: input-ppp2: - -p tcp -s 90.157.90.50 --dport 8100 - -p tcp -s 90.157.84.27 --dport 8100 - -p tcp -s 90.157.86.28 --dport 8100 - -p tcp -s 90.157.86.29 --dport 8100 input-ext1: - -p tcp -s 195.58.1.141 --dport 8100 cost-ineffective_connz_reject: input-ppp2: - -s 90.157.0.0/17 x - -s 87.224.128.0/17 x - -v4 web: -p tcp --dport http,https jabber: -p tcp --dport xmpp-client,xmpp-server,5223 git-daemon: -p tcp --dport git rsync: -p tcp/udp --dport rsync postgresql: -p tcp --dport postgresql rtorrent: - -p udp --dport 6881 - -p tcp --dport 6880:6999 blackhole_firewall: -p tcp/udp --dport 0:1023 - finish: x