From 295959eafba277994e9f87ff212bc80fe98f78ea Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Fri, 1 Jul 2016 21:32:07 +0100 Subject: [PATCH] Finish the switchover to Andrews & Arnold. * Remove the old HE netblock. I've switched the house over to using the A&A IPv6 netblock throughout because multihoming just isn't going to work well. * Remove the `aaisp' network name now that I've decided we're not doing parallel running. * Allocate a little gateway network for the PPP-terminating router. It turns out that if I don't do this then it uses a completely bogus default source address for the PPP interface. * Incidentally, fix the NTP-server netblocks to include the Jump range as well as the house range. --- fender.m4 | 5 ++++- ibanez.m4 | 5 ++++- local.m4 | 30 ++++++++---------------------- radius.m4 | 20 +++++++++----------- vampire.m4 | 5 ++++- 5 files changed, 29 insertions(+), 36 deletions(-) diff --git a/fender.m4 b/fender.m4 index f1d84d8..00375a2 100644 --- a/fender.m4 +++ b/fender.m4 @@ -39,7 +39,10 @@ iptables -A inbound -p udp -j ACCEPT \ -s 172.29.198.0/23 ip6tables -A inbound -p udp -j ACCEPT \ --source-port 123 --destination-port 123 \ - -s 2001:470:9740::/48 + -s 2001:ba8:1d9::/48 +ip6tables -A inbound -p udp -j ACCEPT \ + --source-port 123 --destination-port 123 \ + -s 2001:8b0:c92::/48 ## Guaranteed black hole. Put this at the very front of the chain. run iptables -I INPUT -d 212.13.198.78 -j DROP diff --git a/ibanez.m4 b/ibanez.m4 index 4d6d24e..617200b 100644 --- a/ibanez.m4 +++ b/ibanez.m4 @@ -41,7 +41,10 @@ iptables -A inbound -p udp -j ACCEPT \ -s 172.29.198.0/23 ip6tables -A inbound -p udp -j ACCEPT \ --source-port 123 --destination-port 123 \ - -s 2001:470:9740::/48 + -s 2001:ba8:1d9::/48 +ip6tables -A inbound -p udp -j ACCEPT \ + --source-port 123 --destination-port 123 \ + -s 2001:8b0:c92::/48 m4_divert(-1) ###----- That's all, folks -------------------------------------------------- diff --git a/local.m4 b/local.m4 index b0a4e4c..5dfb3a0 100644 --- a/local.m4 +++ b/local.m4 @@ -39,13 +39,9 @@ m4_divert(-1) ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN. ## The former are as follows. ## -## 62.49.204.144/28 -## House border network (dmz). We have all of these, but .145 -## is reserved for the router. -## ## 81.2.113.195, 81.187.238.128/28 -## House border network (aaisp). We have all of these; the -## loose address is for the router. +## House border network (dmz). We have all of these; the loose +## address is for the router. ## ## 212.13.18.64/28 ## Jump colocated network (jump). .65--68 are used by Jump @@ -73,16 +69,6 @@ m4_divert(-1) ## There are five blocks of publicly routable IPv6 addresses, though some of ## them aren't very interesting. The ranges are as follows. ## -## 2001:470:1f08:1b98::/64 -## Hurricane Electric tunnel network: only :1 (HE) and :2 -## (radius) are used. -## -## 2001:470:1f09:1b98::/64 -## House border network (dmz). -## -## 2001:470:9740::/48 -## Main house range. See below for allocation policy. -## ## 2001:8b0:c92::/48 ## Main house range (aaisp). See below for allocation policy. ## There is no explicit DMZ allocation (and no need for one). @@ -115,6 +101,7 @@ m4_divert(-1) ## 0 No specific site: mobile VPN endpoints or anycast addresses. ## 1 House. ## 2 Jump colocation. +## fff Local border network. ## ## Usually site-0 networks are allocated from the Jump range to improve ## expected performance from/to external sites which don't engage in our @@ -138,17 +125,16 @@ m4_divert(26)m4_dnl ## House networks. defnet dmz trusted - addr 62.49.204.144/28 2001:470:1f09:1b98::/64 - addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48 + addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92:fff::/64 via unsafe untrusted defnet unsafe trusted - addr 172.29.199.0/25 2001:470:9740:1::/64 + addr 172.29.199.0/25 2001:8b0:c92:1::/64 via househub defnet safe safe - addr 172.29.199.192/27 2001:470:9740:4001::/64 + addr 172.29.199.192/27 2001:8b0:c92:4001::/64 via househub defnet untrusted untrusted - addr 172.29.198.0/25 2001:470:9740:8001::/64 + addr 172.29.198.0/25 2001:8b0:c92:8001::/64 via househub defnet househub virtual @@ -268,7 +254,7 @@ defnet anycast trusted addr 172.29.199.224/27 2001:ba8:1d9:0::/64 via dmz unsafe safe untrusted jump colo vpn defnet default scary - addr 62.49.204.144/28 2001:470:1f09:1b98::/64 + addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48 addr 212.13.198.64/28 2001:ba8:0:1d9::/64 addr 2001:ba8:1d9::/48 #temporary via dmz unsafe untrusted jump colo diff --git a/radius.m4 b/radius.m4 index d8efa4f..6b4a32a 100644 --- a/radius.m4 +++ b/radius.m4 @@ -58,10 +58,8 @@ iptables -A fwd-spec-nofrag -j ACCEPT \ -m state --state ESTABLISHED ## BCP38 filtering. Note that addresses here are seen before NAT is applied. -bcp38 4 ppp0 62.49.204.144/28 172.29.198.0/23 -bcp38 6 t6-he \ - 2001:470:1f08:1b98::2 2001:470:1f09:1b98::/64 \ - 2001:470:9740::/48 +bcp38 4 ppp0 81.2.113.195 81.187.238.128/28 172.29.198.0/23 +bcp38 6 ppp0 2001:8b0:c92::/48 ## NAT for RFC1918 addresses. for i in PREROUTING OUTPUT POSTROUTING; do @@ -74,19 +72,19 @@ run iptables -t nat -X run iptables -t nat -N outbound run iptables -t nat -A outbound -j RETURN ! -o ppp0 run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 -run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28 +run iptables -t nat -A outbound -j RETURN -d 81.187.238.128/28 run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 ## An awful hack. ##run iptables -t nat -A outbound -j DNETMAP --reuse \ -## -s 172.29.199.44 --prefix 62.49.204.157 +## -s 172.29.199.44 --prefix 81.187.238.142 ##run iptables -t nat -A outbound -j DNETMAP --reuse \ -## -s 172.29.198.34 --prefix 62.49.204.157 +## -s 172.29.198.34 --prefix 81.187.238.142 ##run iptables -t nat -A outbound -j DNETMAP --reuse \ -## -s 172.29.198.11 --prefix 62.49.204.157 +## -s 172.29.198.11 --prefix 81.187.238.142 ##run iptables -t nat -A PREROUTING -j DNETMAP -run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 +run iptables -t nat -A outbound -j SNAT --to-source 81.187.238.142 run iptables -t nat -A POSTROUTING -j outbound ## Set up NAT protocol helpers. In particular, SIP needs some special @@ -101,9 +99,9 @@ done ## Forbid anything complicated to the NAT address. Be sure to allow ident, ## though. -run iptables -A INPUT -d 62.49.204.158 -p tcp -j ACCEPT \ +run iptables -A INPUT -d 81.187.238.142 -p tcp -j ACCEPT \ -m multiport --destination-ports=113 -run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT +run iptables -A INPUT -d 81.187.238.142 ! -p icmp -j REJECT m4_divert(-1) ###----- That's all, folks -------------------------------------------------- diff --git a/vampire.m4 b/vampire.m4 index ed9bd9b..bb91c7c 100644 --- a/vampire.m4 +++ b/vampire.m4 @@ -68,7 +68,10 @@ iptables -A inbound -p udp -j ACCEPT \ -s 172.29.198.0/23 ip6tables -A inbound -p udp -j ACCEPT \ --source-port 123 --destination-port 123 \ - -s 2001:470:9740::/48 + -s 2001:ba8:1d9::/48 +ip6tables -A inbound -p udp -j ACCEPT \ + --source-port 123 --destination-port 123 \ + -s 2001:8b0:c92::/48 m4_divert(-1) ###----- That's all, folks -------------------------------------------------- -- 2.11.0