: disable forwarding till we are done echo 0 > /proc/sys/net/ipv4/ip_forward y=209.9.9 g=204.4.4 : explicit to albus, to carry tunnel route del $y.68 route add $y.68 gw $g.129 ifconfig LAN:1 down ifconfig LAN down : now run the tunnel ifconfig | grep "^tun0" || vtund LanParty $y.68 && sleep 4 ifconfig if ifconfig | grep "^tun0" then : GOOD else : FAILED fi iptables -F FORWARD iptables -F INPUT iptables -F OUTPUT iptables -F PREROUTING -t mangle -v ##### Restrict world immediately : no packets to world not from tardis! iptables -A OUTPUT -o world -s ! $g.190 -j DROP : no packets to BROADCAST via world iptables -A OUTPUT -o world -d $g.128 -j DROP iptables -A OUTPUT -o world -d $g.191 -j DROP : no packets to MARS via world iptables -A OUTPUT -o world -d 10.0.0.0/8 -j DROP iptables -A OUTPUT -o world -d 192.168.0.0/16 -j DROP iptables -A OUTPUT -o world -d 224.0.0.0/3 -j DROP ###### Now configure LAN ifconfig LAN $y.250 netmask 255.255.255.128 -broadcast up ifconfig LAN:1 $y.126 netmask 255.255.255.224 -broadcast up : no packets across chinese wall LAN--world iptables -A FORWARD -i LAN -o world --j DROP iptables -A FORWARD -i world -o LAN --j DROP : no packets across chinese wall tun0--world iptables -A FORWARD -i tun0 -o world --j DROP iptables -A FORWARD -i world -o tun0 --j DROP : no incoming lan packets from outside our ClassC iptables -A INPUT -i LAN -s ! $y.0/24 -j DROP : no incoming lan packets from beneath .96 iptables -A INPUT -i LAN -s $y.0/26 -j DROP iptables -A INPUT -i LAN -s $y.64/27 -j DROP : no incoming lan packets to broadcasts iptables -A INPUT -i LAN -d $y.0 -j DROP iptables -A INPUT -i LAN -d $y.255 -j DROP : Summer to world /usr/local/bin/iptables-ROUTE-patched -A PREROUTING -t mangle -i LAN \ -s 209.9.9.96/27 -d ! 209.9.9.0/24 --j ROUTE --iface tun0 : Summer to 0-63 /usr/local/bin/iptables-ROUTE-patched -A PREROUTING -t mangle -i LAN \ -s 209.9.9.96/27 -d 209.9.9.0/26 --j ROUTE --iface tun0 : Summer to 64-95 /usr/local/bin/iptables-ROUTE-patched -A PREROUTING -t mangle -i LAN \ -s 209.9.9.96/27 -d 209.9.9.64/27 --j ROUTE --iface tun0 : enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward : finally proxy arp for important remote T1 boxen for x in 2 3 4 5 6 55 75 76 77 78 79 91 92 93 do arp -Ds 209.9.9.$x LAN pub done : optional -- protect a range -- right now, everything 128 up. iptables -A OUTPUT -o LAN -d $y.128/25 -p tcp --syn -j DROP #END