--source-port 123 --destination-port 123
## Guaranteed black hole. Put this at the very front of the chain.
-run iptables -I INPUT -d 212.13.198.78 -j DROP
-run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP
+run iptables -I INPUT -d 217.169.12.78 -j DROP
+run ip6tables -I INPUT -d 2001:8b0:c92:fff::ffff -j DROP
## Ethernet bridge-level filtering for source addresses.
run ebtables -F
run ebtables -A $ch -j DROP
done
-run ebtables -N check-eth0
-run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28
-run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1
-run ebtables -A check-eth0 -j bad-source-addr \
- -p ip6 --ip6-source 2001:ba8:1d9::/48
-run ebtables -A check-eth0 -j bad-source-addr \
- -p ip6 --ip6-source 2001:ba8:0:1d9::/64
-run ebtables -A check-eth0 -j RETURN -p ip6
-run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30
-run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68
-run ebtables -A check-eth0 -j bad-source-addr -p ip
-run ebtables -A INPUT -j check-eth0 -i bond0
-run ebtables -A FORWARD -j check-eth0 -i bond0
-
run ebtables -N check-bcp38
-run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 212.13.198.64/28
+run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 81.187.238.128/28
+run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 217.169.12.64/28
run ebtables -A check-bcp38 -j bcp38 -p ip
-run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::/64
+run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:8b0:c92::/48
run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:1d9::/48
run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source fe80::/10
run ebtables -A check-bcp38 -j bcp38 -p ip6
-run ebtables -A FORWARD -j check-bcp38 -o bond0
+run ebtables -A FORWARD -j check-bcp38 -o br-dmz
## There's a hideous bug in Linux 3.2.51-1's ebtables: for some reason it
## misparses (at least) locally originated multicast packets, and tries to
## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
-## 81.2.113.195, 81.187.238.128/28
+## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28
## House border network (dmz). We have all of these; the loose
## address is for the router.
##
-## 212.13.18.64/28
-## Jump colocated network (jump). .65--68 are used by Jump
-## network infrastructure; we get the rest.
-##
## The latter is the block 172.29.196.0/22. Currently the low half is
## unallocated (and may be returned to the G-RIN); the remaining addresses
## are allocated as follows.
## Main house range (aaisp). See below for allocation policy.
## There is no explicit DMZ allocation (and no need for one).
##
-## 2001:ba8:0:1d9::/64
-## Jump border network (jump): :1 is the router (supplied by
-## Jump); other addresses are ours.
-##
-## 2001:ba8:1d9::/48
-## Main colocated range. See below for allocation policy.
-##
## Addresses in the /64 networks are simply allocated in ascending order.
## The /48s are split into /64s by appending a 16-bit network number. The
## top nibble of the network number classifies the network, as follows.
##
## 0 No specific site: mobile VPN endpoints or anycast addresses.
## 1 House.
-## 2 Jump colocation.
## fff Local border network.
-##
-## Usually site-0 networks are allocated from the Jump range to improve
-## expected performance from/to external sites which don't engage in our
-## dynamic routing protocols.
## Define the available network classes.
m4_divert(42)m4_dnl
## House networks.
defnet dmz trusted
- addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92:fff::/64
+ addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64
via unsafe untrusted
defnet unsafe trusted
addr 172.29.199.0/25 2001:8b0:c92:1::/64
## House hosts.
defhost radius
hosttype router
- iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
- iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
- iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
+ iface eth0 dmz unsafe safe untrusted vpn sgo default
+ iface eth1 dmz unsafe safe untrusted vpn sgo default
+ iface eth2 dmz unsafe safe untrusted vpn sgo
iface eth3 unsafe untrusted vpn default
iface ppp0 default
iface t6-he default
- iface vpn-precision colobdry vpn sgo
+ iface vpn-precision vpn sgo
iface vpn-chiark sgo
iface vpn-+ vpn
defhost roadstar
iface eth3 unsafe untrusted
defhost vampire
hosttype router
- iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
- iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
- iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
+ iface eth0.4 dmz unsafe untrusted safe vpn sgo
+ iface eth0.5 dmz unsafe untrusted safe vpn sgo
+ iface eth0.6 dmz unsafe safe untrusted vpn sgo
iface eth0.7 unsafe untrusted vpn
- iface vpn-precision colobdry vpn sgo
+ iface vpn-precision vpn sgo
iface vpn-chiark sgo
iface vpn-+ vpn
defhost ibanez
hosttype client
iface eth0 unsafe
-## Colocated networks.
-defnet jump trusted
- addr 212.13.198.64/28 2001:ba8:0:1d9::/64
- via colohub
-defnet colo trusted
- addr 172.29.199.176/28 2001:ba8:1d9:2::/64
- via colohub
-defnet colohub virtual
- via colobdry jump colo
-defnet colobdry virtual
- via colohub hub
-defnet iodine untrusted
- addr 172.29.198.128/28
- via colohub
-defnet hippotat untrusted
- addr 172.29.198.144/28
- via colohub
-
-## Colocated hosts.
+## Formerly colocated hosts.
defhost fender
- iface br-jump jump colo
- iface br-colo jump colo
+ iface br-dmz dmz unsafe
+ iface br-unsafe dmz unsafe
defhost precision
hosttype router
- iface eth0 jump colo vpn sgo
- iface eth1 jump colo vpn sgo
+ iface eth0 dmz unsafe vpn sgo
+ iface eth1 dmz unsafe vpn sgo
iface vpn-mango binswood
- iface vpn-radius housebdry vpn sgo
iface vpn-chiark sgo
iface vpn-national upn
iface vpn-mdwdev upn
iface vpn-+ vpn
defhost telecaster
- iface eth0 jump colo
- iface eth1 jump colo
+ iface eth0 dmz unsafe vpn sgo
+ iface eth1 dmz unsafe vpn sgo
defhost stratocaster
- iface eth0 jump colo
- iface eth1 jump colo
+ iface eth0 dmz unsafe vpn sgo
+ iface eth1 dmz unsafe vpn sgo
defhost jazz
hosttype router
- iface eth0 jump colo vpn
- iface eth1 jump colo vpn
+ iface eth0 dmz unsafe vpn sgo
+ iface eth1 dmz unsafe vpn sgo
iface dns0 iodine
iface hippo-svc hippotat
iface vpn-+ vpn
+## Stunt connectivity networks.
+defnet iodine untrusted
+ addr 172.29.198.128/28
+ via colohub
+defnet hippotat untrusted
+ addr 172.29.198.144/28
+ via colohub
+
+
## Other networks.
defnet hub virtual
- via housebdry colobdry
+ via housebdry
defnet sgo noloop
addr !172.29.198.0/23
addr !10.165.27.0/24
addr 10.0.0.0/8
addr 172.16.0.0/12
addr 192.168.0.0/16
- via househub colohub
+ via househub
defnet vpn trusted
- addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
- via househub colohub
+ addr 172.29.199.128/27 2001:8b0:c92:6000::/64
+ via househub
host crybaby 1 ::1:1
host terror 2 ::2:1
host orange 3 ::3:1
host spirit 9 ::9:1
host groove 10 ::10:1
defnet anycast trusted
- addr 172.29.199.224/27 2001:ba8:1d9:0::/64
- via dmz unsafe safe untrusted jump colo vpn
+ addr 172.29.199.224/27 2001:8b0:c92:0::/64
+ via dmz unsafe safe untrusted vpn nvpn
defnet default scary
- addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48
- addr 212.13.198.64/28 2001:ba8:0:1d9::/64
- addr 2001:ba8:1d9::/48 #temporary
- via dmz unsafe untrusted jump colo
+ addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \
+ 2001:8b0:c92::/48
+ via dmz unsafe untrusted
defnet upn untrusted
- addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
- via colohub
+ addr 172.29.198.160/27 2001:8b0:c92:a000::/64
+ via househub
host national 1 ::1:1
host mdwdev 2 ::2:1
## Linode hosts.
defhost national
iface eth0 default
- iface vpn-precision colohub
+ iface vpn-precision househub
## Satellite networks.
defnet binswood vpnnat
addr 10.165.27.0/24
- via colohub
+ via househub
defhost mango
hosttype router
iface eth0 binswood default
- iface vpn-precision colo default
+ iface vpn-precision dmz default
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
## Inspect inbound packets from untrusted sources.
run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
-run ip6tables -A inbound -s 2001:ba8:1d9:8000::/49 -g inbound-untrusted
run ip46tables -A inbound-untrusted -g forbidden
run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound