# marlon@mbvdl.net
# 13/04/2008
#
# This works with the Quagga routing over two ppp ifaces
#

version 5

# Green - Safe zone, home network
# Red - Untrusted Internet zone - International
# Orange - Untrusted Internet zone - Local

green_ips="192.168.2.17/24"

interface eth0 green
	server	ssh	accept
	server	http	accept
	server	ftp	accept
	server	mysql	accept

	client	all	accept


interface ppp0	orange	src not "${green_ips} ${UNROUTABLE_IPS}"
	policy	reject
	
	server	http	accept with limit 5/s 50 overflow drop
	server	ssh	accept with limit 5/s 50 overflow drop
	server	icmp	accept

	client 	all	accept


interface ppp1	red	src not "${green_ips} ${UNROUTABLE_IPS}"
	policy 	reject

	server	ssh 	accept with limit 5/s 50 overflow drop

	client	all	accept


# ROUTING

router	green2internet inface eth0 outface ppp0
	masquerade
	route all accept

router	green2internet2 inface eth0 outface ppp1
	masquerade
	route all accept


# fixing the mss exceeding the mtu path issue, thanks to Karnaugh
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN  -j TCPMSS --clamp-mss-to-pmtu