-s 172.29.198.0/23
ip6tables -A inbound -p udp -j ACCEPT \
--source-port 123 --destination-port 123 \
- -s 2001:470:9740::/48
+ -s 2001:ba8:1d9::/48
+ip6tables -A inbound -p udp -j ACCEPT \
+ --source-port 123 --destination-port 123 \
+ -s 2001:8b0:c92::/48
## Guaranteed black hole. Put this at the very front of the chain.
run iptables -I INPUT -d 212.13.198.78 -j DROP
-s 172.29.198.0/23
ip6tables -A inbound -p udp -j ACCEPT \
--source-port 123 --destination-port 123 \
- -s 2001:470:9740::/48
+ -s 2001:ba8:1d9::/48
+ip6tables -A inbound -p udp -j ACCEPT \
+ --source-port 123 --destination-port 123 \
+ -s 2001:8b0:c92::/48
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
-## 62.49.204.144/28
-## House border network (dmz). We have all of these, but .145
-## is reserved for the router.
-##
## 81.2.113.195, 81.187.238.128/28
-## House border network (aaisp). We have all of these; the
-## loose address is for the router.
+## House border network (dmz). We have all of these; the loose
+## address is for the router.
##
## 212.13.18.64/28
## Jump colocated network (jump). .65--68 are used by Jump
## There are five blocks of publicly routable IPv6 addresses, though some of
## them aren't very interesting. The ranges are as follows.
##
-## 2001:470:1f08:1b98::/64
-## Hurricane Electric tunnel network: only :1 (HE) and :2
-## (radius) are used.
-##
-## 2001:470:1f09:1b98::/64
-## House border network (dmz).
-##
-## 2001:470:9740::/48
-## Main house range. See below for allocation policy.
-##
## 2001:8b0:c92::/48
## Main house range (aaisp). See below for allocation policy.
## There is no explicit DMZ allocation (and no need for one).
## 0 No specific site: mobile VPN endpoints or anycast addresses.
## 1 House.
## 2 Jump colocation.
+## fff Local border network.
##
## Usually site-0 networks are allocated from the Jump range to improve
## expected performance from/to external sites which don't engage in our
## House networks.
defnet dmz trusted
- addr 62.49.204.144/28 2001:470:1f09:1b98::/64
- addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48
+ addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92:fff::/64
via unsafe untrusted
defnet unsafe trusted
- addr 172.29.199.0/25 2001:470:9740:1::/64
+ addr 172.29.199.0/25 2001:8b0:c92:1::/64
via househub
defnet safe safe
- addr 172.29.199.192/27 2001:470:9740:4001::/64
+ addr 172.29.199.192/27 2001:8b0:c92:4001::/64
via househub
defnet untrusted untrusted
- addr 172.29.198.0/25 2001:470:9740:8001::/64
+ addr 172.29.198.0/25 2001:8b0:c92:8001::/64
via househub
defnet househub virtual
addr 172.29.199.224/27 2001:ba8:1d9:0::/64
via dmz unsafe safe untrusted jump colo vpn
defnet default scary
- addr 62.49.204.144/28 2001:470:1f09:1b98::/64
+ addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48
addr 212.13.198.64/28 2001:ba8:0:1d9::/64
addr 2001:ba8:1d9::/48 #temporary
via dmz unsafe untrusted jump colo
-m state --state ESTABLISHED
## BCP38 filtering. Note that addresses here are seen before NAT is applied.
-bcp38 4 ppp0 62.49.204.144/28 172.29.198.0/23
-bcp38 6 t6-he \
- 2001:470:1f08:1b98::2 2001:470:1f09:1b98::/64 \
- 2001:470:9740::/48
+bcp38 4 ppp0 81.2.113.195 81.187.238.128/28 172.29.198.0/23
+bcp38 6 ppp0 2001:8b0:c92::/48
## NAT for RFC1918 addresses.
for i in PREROUTING OUTPUT POSTROUTING; do
run iptables -t nat -N outbound
run iptables -t nat -A outbound -j RETURN ! -o ppp0
run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
-run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
+run iptables -t nat -A outbound -j RETURN -d 81.187.238.128/28
run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
## An awful hack.
##run iptables -t nat -A outbound -j DNETMAP --reuse \
-## -s 172.29.199.44 --prefix 62.49.204.157
+## -s 172.29.199.44 --prefix 81.187.238.142
##run iptables -t nat -A outbound -j DNETMAP --reuse \
-## -s 172.29.198.34 --prefix 62.49.204.157
+## -s 172.29.198.34 --prefix 81.187.238.142
##run iptables -t nat -A outbound -j DNETMAP --reuse \
-## -s 172.29.198.11 --prefix 62.49.204.157
+## -s 172.29.198.11 --prefix 81.187.238.142
##run iptables -t nat -A PREROUTING -j DNETMAP
-run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
+run iptables -t nat -A outbound -j SNAT --to-source 81.187.238.142
run iptables -t nat -A POSTROUTING -j outbound
## Set up NAT protocol helpers. In particular, SIP needs some special
## Forbid anything complicated to the NAT address. Be sure to allow ident,
## though.
-run iptables -A INPUT -d 62.49.204.158 -p tcp -j ACCEPT \
+run iptables -A INPUT -d 81.187.238.142 -p tcp -j ACCEPT \
-m multiport --destination-ports=113
-run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT
+run iptables -A INPUT -d 81.187.238.142 ! -p icmp -j REJECT
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
-s 172.29.198.0/23
ip6tables -A inbound -p udp -j ACCEPT \
--source-port 123 --destination-port 123 \
- -s 2001:470:9740::/48
+ -s 2001:ba8:1d9::/48
+ip6tables -A inbound -p udp -j ACCEPT \
+ --source-port 123 --destination-port 123 \
+ -s 2001:8b0:c92::/48
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
~mdw / firewall / commitdiff