Arno’s iptables firewall: .../parasitic-net.conf

"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/etc/arno-iptables-firewall/plugins/parasitic-net.conf" (16 Sep 2020, 4947 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Generic config files source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "parasitic-net.conf":

2.1.0_vs_2.1.1.

1 # ------------------------------------------------------------------------------ 2 # -= Arno's Iptables Firewall(AIF) - Parasitic (SNAT) Network plugin =- 3 # ------------------------------------------------------------------------------ 4 5 # To actually enable this plugin make ENABLED=1: 6 # ------------------------------------------------------------------------------ 7 ENABLED=0 8 9 # ------------------------------------------------------------------------------ 10 # Parasitic Network 11 # 12 # Allows "clients" on the same subnet to use this device as a gateway upstream. 13 # This network of "clients" is the Parasitic Network, SNAT'ed to this device's 14 # external interface(s). 15 # 16 # This Parasitic Network is useful for situations when the upstream firewall 17 # is not under your control and you desire added security for specific devices 18 # in your subnet. Set the gateway address of Parasitic Network clients to an 19 # external IPv4 address of this device. 20 # 21 # Note: To be effective, be certain the Parasitic Network clients are IPv4-only 22 # 23 # (IPv4 Only) 24 # ------------------------------------------------------------------------------ 25 26 # Specify which (external) network interfaces should have parasitic SNAT enabled 27 # You can optionally also provide the interface IP in the form of interface~IP 28 # (for eg. interfaces with multiple IP addresses). Multiple interfaces should 29 # be space separated. Leave empty to include all external interfaces 30 # ------------------------------------------------------------------------------ 31 PARASITIC_NET_IF="" 32 33 # Specify which "clients" are allowed to use this device as an SNAT gateway. 34 # If not specified all hosts on parasitic SNAT enabled interfaces are allowed 35 # NOTE: The hosts in here should be on subnets connected to interfaces specified 36 # in PARASITIC_NET_IF 37 # ------------------------------------------------------------------------------ 38 PARASITIC_NET_CLIENT_HOSTS="" 39 40 # Specify here the time(s) in minutes between executes of the helper script 41 # (leave default if you don't know what it is). 42 # ------------------------------------------------------------------------------ 43 PARASITIC_NET_TIME="15" 44 45 46 ################################################################################ 47 # Use PARASITIC_NET_HOST_OPEN_xxx and PARASITIC_NET_HOST_DENY to restrict # 48 # forwarded parasitic network traffic. # 49 # # 50 # By default all parasitic network packets are forwarded and NAT-ed upstream, # 51 # unless one of the PARASATIC_NET_HOST_OPEN_xxx variables is specified. In # 52 # that case the default policy for that protocol (TCP, UDP, ICMP, IP) will # 53 # become deny, except for IP which always defaults to deny. # 54 ################################################################################ 55 56 #------------------------------------------------------------------------------- 57 # PARASITIC_NET_HOST_xxxx_yyy & PARASITIC_NET_HOST_xxxx_yyy format: 58 # 59 # TCP/UDP port form: 60 # "SRCIP1,SRCIP2,...>DESTIP1~port \ 61 # SRCIP3,...>DESTIP2~port" 62 # 63 # IP form: 64 # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ 65 # SRCIP3,...>DESTIP2~protocol" 66 # 67 # ICMP form: 68 # "SRCIP1,SRCIP2,...>DESTIP1 \ 69 # SRCIP3,...>DESTIP2" 70 # 71 # TCP/UDP examples: 72 # ----------------- 73 # Simple: 74 # (Allow port 80 to INET host 1.2.3.4 for all parasitic hosts(0/0)): 75 # PARASITIC_NET_HOST_OPEN_xxx="1.2.3.4~80" 76 # Advanced: 77 # (Allow port 20 & 21 to INET host 1.2.3.4 for all parasitic hosts(0/0) and 78 # allow port 80 to INET host 1.2.3.4 for parasitic host 192.168.0.10 (only)): 79 # PARASITIC_NET_HOST_OPEN_xxx="1.2.3.4~20,21 192.168.0.10>0/0~80" 80 # 81 # IP protocol example: 82 # (Allow protocols 47 & 48 to INET host 1.2.3.4 for all parasitic hosts(0/0)) 83 # PARASITIC_NET_HOST_OPEN_IP="1.2.3.4~47,48" 84 # 85 # NOTE: If no SRCIPx is specified, any source host is used 86 #------------------------------------------------------------------------------- 87 88 # Put in the following variables which hosts you want to allow(open) for certain 89 # services 90 # ------------------------------------------------------------------------------ 91 PARASITIC_NET_HOST_OPEN_TCP="" 92 PARASITIC_NET_HOST_OPEN_UDP="" 93 PARASITIC_NET_HOST_OPEN_ICMP="" 94 PARASITIC_NET_HOST_OPEN_IP="" 95 96 # Put in the following variables which hosts you want to deny for certain 97 # services 98 # ------------------------------------------------------------------------------ 99 PARASITIC_NET_HOST_DENY_TCP="" 100 PARASITIC_NET_HOST_DENY_UDP="" 101 PARASITIC_NET_HOST_DENY_ICMP="" 102 PARASITIC_NET_HOST_DENY_IP="" 103 104 # Enable (1) or disable(0) logging of denied packets 105 # ------------------------------------------------------------------------------ 106 PARASITIC_NET_DENY_LOG=1 107 108 # Specify the policy for denied packets: DROP (default) or REJECT 109 # ------------------------------------------------------------------------------ 110 PARASITIC_NET_DENY_POLICY="DROP"