fender.m4: Trap bad source IP addresses at the ethernet bridge layer.

Since we don't have control of the Jump router, and it doesn't seem to
trap spoofed packets, we must do that ourselves.

diff --git a/fender.m4 b/fender.m4
index c8b2ee7..dda96f8 100644 (file)
--- a/fender.m4
+++ b/fender.m4
@@ -37,5 +37,30 @@ ntpclient inbound $ntp_servers
 run iptables -I INPUT -d 212.13.198.78 -j DROP
 run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP
 
+## Ethernet bridge-level filtering for source addresses.
+run ebtables -F
+for c in bad-source-addr check-eth0; do
+  run ebtables -X $c >/dev/null 2>&1 || :
+done
+for i in log limit ip ip6; do run modprobe ebt-$i; done
+run ebtables -N bad-source-addr
+run ebtables -A bad-source-addr \
+       --limit 20/second --limit-burst 100 \
+       --log-prefix "fw: bad-source-addr(br) " --log-ip --log-ip6
+run ebtables -A bad-source-addr -j DROP
+run ebtables -N check-eth0
+run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28
+run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1
+run ebtables -A check-eth0 -j bad-source-addr \
+       -p ip6 --ip6-source 2001:ba8:1d9::/48
+run ebtables -A check-eth0 -j bad-source-addr \
+       -p ip6 --ip6-source 2001:ba8:0:1d9::/64
+run ebtables -A check-eth0 -j RETURN -p ip6
+run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30
+run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68
+run ebtables -A check-eth0 -j bad-source-addr -p ip
+run ebtables -A INPUT -j check-eth0 -i bond0
+run ebtables -A FORWARD -j check-eth0 -i bond0
+
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------