From: Mark Wooding Date: Sun, 28 Apr 2024 18:47:08 +0000 (+0100) Subject: local.m4, fender.m4, radius.m4: Fixing for `fender' coming home. X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain local.m4, fender.m4, radius.m4: Fixing for `fender' coming home. --- diff --git a/fender.m4 b/fender.m4 index 77a08fe..e1aff1f 100644 --- a/fender.m4 +++ b/fender.m4 @@ -38,8 +38,8 @@ run ip46tables -A inbound-untrusted -p udp -j ACCEPT \ --source-port 123 --destination-port 123 ## Guaranteed black hole. Put this at the very front of the chain. -run iptables -I INPUT -d 212.13.198.78 -j DROP -run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP +run iptables -I INPUT -d 217.169.12.78 -j DROP +run ip6tables -I INPUT -d 2001:8b0:c92:fff::ffff -j DROP ## Ethernet bridge-level filtering for source addresses. run ebtables -F @@ -57,28 +57,15 @@ for ch in bad-source-addr bcp38; do run ebtables -A $ch -j DROP done -run ebtables -N check-eth0 -run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28 -run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1 -run ebtables -A check-eth0 -j bad-source-addr \ - -p ip6 --ip6-source 2001:ba8:1d9::/48 -run ebtables -A check-eth0 -j bad-source-addr \ - -p ip6 --ip6-source 2001:ba8:0:1d9::/64 -run ebtables -A check-eth0 -j RETURN -p ip6 -run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30 -run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68 -run ebtables -A check-eth0 -j bad-source-addr -p ip -run ebtables -A INPUT -j check-eth0 -i bond0 -run ebtables -A FORWARD -j check-eth0 -i bond0 - run ebtables -N check-bcp38 -run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 212.13.198.64/28 +run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 81.187.238.128/28 +run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 217.169.12.64/28 run ebtables -A check-bcp38 -j bcp38 -p ip -run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::/64 +run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:8b0:c92::/48 run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:1d9::/48 run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source fe80::/10 run ebtables -A check-bcp38 -j bcp38 -p ip6 -run ebtables -A FORWARD -j check-bcp38 -o bond0 +run ebtables -A FORWARD -j check-bcp38 -o br-dmz ## There's a hideous bug in Linux 3.2.51-1's ebtables: for some reason it ## misparses (at least) locally originated multicast packets, and tries to diff --git a/local.m4 b/local.m4 index fc6dae2..640f341 100644 --- a/local.m4 +++ b/local.m4 @@ -39,14 +39,10 @@ m4_divert(-1) ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN. ## The former are as follows. ## -## 81.2.113.195, 81.187.238.128/28 +## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28 ## House border network (dmz). We have all of these; the loose ## address is for the router. ## -## 212.13.18.64/28 -## Jump colocated network (jump). .65--68 are used by Jump -## network infrastructure; we get the rest. -## ## The latter is the block 172.29.196.0/22. Currently the low half is ## unallocated (and may be returned to the G-RIN); the remaining addresses ## are allocated as follows. @@ -74,13 +70,6 @@ m4_divert(-1) ## Main house range (aaisp). See below for allocation policy. ## There is no explicit DMZ allocation (and no need for one). ## -## 2001:ba8:0:1d9::/64 -## Jump border network (jump): :1 is the router (supplied by -## Jump); other addresses are ours. -## -## 2001:ba8:1d9::/48 -## Main colocated range. See below for allocation policy. -## ## Addresses in the /64 networks are simply allocated in ascending order. ## The /48s are split into /64s by appending a 16-bit network number. The ## top nibble of the network number classifies the network, as follows. @@ -101,12 +90,7 @@ m4_divert(-1) ## ## 0 No specific site: mobile VPN endpoints or anycast addresses. ## 1 House. -## 2 Jump colocation. ## fff Local border network. -## -## Usually site-0 networks are allocated from the Jump range to improve -## expected performance from/to external sites which don't engage in our -## dynamic routing protocols. ## Define the available network classes. m4_divert(42)m4_dnl @@ -127,7 +111,7 @@ m4_divert(26)m4_dnl ## House networks. defnet dmz trusted - addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92:fff::/64 + addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64 via unsafe untrusted defnet unsafe trusted addr 172.29.199.0/25 2001:8b0:c92:1::/64 @@ -147,13 +131,13 @@ defnet housebdry virtual ## House hosts. defhost radius hosttype router - iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default - iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default - iface eth2 dmz unsafe safe untrusted vpn sgo colobdry + iface eth0 dmz unsafe safe untrusted vpn sgo default + iface eth1 dmz unsafe safe untrusted vpn sgo default + iface eth2 dmz unsafe safe untrusted vpn sgo iface eth3 unsafe untrusted vpn default iface ppp0 default iface t6-he default - iface vpn-precision colobdry vpn sgo + iface vpn-precision vpn sgo iface vpn-chiark sgo iface vpn-+ vpn defhost roadstar @@ -172,11 +156,11 @@ defhost artist iface eth3 unsafe untrusted defhost vampire hosttype router - iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry - iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry - iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry + iface eth0.4 dmz unsafe untrusted safe vpn sgo + iface eth0.5 dmz unsafe untrusted safe vpn sgo + iface eth0.6 dmz unsafe safe untrusted vpn sgo iface eth0.7 unsafe untrusted vpn - iface vpn-precision colobdry vpn sgo + iface vpn-precision vpn sgo iface vpn-chiark sgo iface vpn-+ vpn defhost ibanez @@ -194,65 +178,55 @@ defhost gibson hosttype client iface eth0 unsafe -## Colocated networks. -defnet jump trusted - addr 212.13.198.64/28 2001:ba8:0:1d9::/64 - via colohub -defnet colo trusted - addr 172.29.199.176/28 2001:ba8:1d9:2::/64 - via colohub -defnet colohub virtual - via colobdry jump colo -defnet colobdry virtual - via colohub hub -defnet iodine untrusted - addr 172.29.198.128/28 - via colohub -defnet hippotat untrusted - addr 172.29.198.144/28 - via colohub - -## Colocated hosts. +## Formerly colocated hosts. defhost fender - iface br-jump jump colo - iface br-colo jump colo + iface br-dmz dmz unsafe + iface br-unsafe dmz unsafe defhost precision hosttype router - iface eth0 jump colo vpn sgo - iface eth1 jump colo vpn sgo + iface eth0 dmz unsafe vpn sgo + iface eth1 dmz unsafe vpn sgo iface vpn-mango binswood - iface vpn-radius housebdry vpn sgo iface vpn-chiark sgo iface vpn-national upn iface vpn-mdwdev upn iface vpn-+ vpn defhost telecaster - iface eth0 jump colo - iface eth1 jump colo + iface eth0 dmz unsafe vpn sgo + iface eth1 dmz unsafe vpn sgo defhost stratocaster - iface eth0 jump colo - iface eth1 jump colo + iface eth0 dmz unsafe vpn sgo + iface eth1 dmz unsafe vpn sgo defhost jazz hosttype router - iface eth0 jump colo vpn - iface eth1 jump colo vpn + iface eth0 dmz unsafe vpn sgo + iface eth1 dmz unsafe vpn sgo iface dns0 iodine iface hippo-svc hippotat iface vpn-+ vpn +## Stunt connectivity networks. +defnet iodine untrusted + addr 172.29.198.128/28 + via colohub +defnet hippotat untrusted + addr 172.29.198.144/28 + via colohub + + ## Other networks. defnet hub virtual - via housebdry colobdry + via housebdry defnet sgo noloop addr !172.29.198.0/23 addr !10.165.27.0/24 addr 10.0.0.0/8 addr 172.16.0.0/12 addr 192.168.0.0/16 - via househub colohub + via househub defnet vpn trusted - addr 172.29.199.128/27 2001:ba8:1d9:6000::/64 - via househub colohub + addr 172.29.199.128/27 2001:8b0:c92:6000::/64 + via househub host crybaby 1 ::1:1 host terror 2 ::2:1 host orange 3 ::3:1 @@ -260,32 +234,31 @@ defnet vpn trusted host spirit 9 ::9:1 host groove 10 ::10:1 defnet anycast trusted - addr 172.29.199.224/27 2001:ba8:1d9:0::/64 - via dmz unsafe safe untrusted jump colo vpn + addr 172.29.199.224/27 2001:8b0:c92:0::/64 + via dmz unsafe safe untrusted vpn nvpn defnet default scary - addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48 - addr 212.13.198.64/28 2001:ba8:0:1d9::/64 - addr 2001:ba8:1d9::/48 #temporary - via dmz unsafe untrusted jump colo + addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \ + 2001:8b0:c92::/48 + via dmz unsafe untrusted defnet upn untrusted - addr 172.29.198.160/27 2001:ba8:1d9:a000::/64 - via colohub + addr 172.29.198.160/27 2001:8b0:c92:a000::/64 + via househub host national 1 ::1:1 host mdwdev 2 ::2:1 ## Linode hosts. defhost national iface eth0 default - iface vpn-precision colohub + iface vpn-precision househub ## Satellite networks. defnet binswood vpnnat addr 10.165.27.0/24 - via colohub + via househub defhost mango hosttype router iface eth0 binswood default - iface vpn-precision colo default + iface vpn-precision dmz default m4_divert(80)m4_dnl ###-------------------------------------------------------------------------- @@ -407,7 +380,6 @@ openports inbound ## Inspect inbound packets from untrusted sources. run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted -run ip6tables -A inbound -s 2001:ba8:1d9:8000::/49 -g inbound-untrusted run ip46tables -A inbound-untrusted -g forbidden run ip46tables -A inbound -g forbidden run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound diff --git a/radius.m4 b/radius.m4 index 6b4a32a..3b9a45f 100644 --- a/radius.m4 +++ b/radius.m4 @@ -58,7 +58,7 @@ iptables -A fwd-spec-nofrag -j ACCEPT \ -m state --state ESTABLISHED ## BCP38 filtering. Note that addresses here are seen before NAT is applied. -bcp38 4 ppp0 81.2.113.195 81.187.238.128/28 172.29.198.0/23 +bcp38 4 ppp0 81.2.113.195 81.187.238.128/28 217.169.12.64/28 172.29.198.0/23 bcp38 6 ppp0 2001:8b0:c92::/48 ## NAT for RFC1918 addresses.