blob: ca67633b423eacde06bbf09c68e92269417b71ea (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i tinc_dn42 -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
# traceroute
-A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp6-port-unreachable
# DNS
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
# BGP
-A INPUT -p tcp --dport 179 -j ACCEPT
# LG
-A INPUT -i eth0 -p tcp --dport 6042 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 6142 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
# don't match source alone - will prevent outer system from doing stuff.
-A FORWARD -i eth0 -d fd00::/8 -j ACCEPT
# replies!
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# post/prerouting, must allow forward
# formerly for HTTP/S
#-A FORWARD -s fd00::/8 -d fcee::1/128 -j ACCEPT
#-A FORWARD -s fcee::1/128 -d fd00::/8 -j ACCEPT
#-A FORWARD -j LOG --log-prefix "[dn42] forward"
-A FORWARD -j REJECT --reject-with icmp6-port-unreachable
COMMIT
*mangle
-A PREROUTING -i eth0 -j MARK --set-mark 0x4242
COMMIT
*nat
-A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE
COMMIT
|
