From e7de4e98fd2e8ff83dba6a6117b2d90266f1065e Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Wed, 4 Sep 2013 11:00:56 +0100
Subject: [PATCH] fender.m4: Trap bad source IP addresses at the ethernet
 bridge layer.

Since we don't have control of the Jump router, and it doesn't seem to
trap spoofed packets, we must do that ourselves.
---
 fender.m4 | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/fender.m4 b/fender.m4
index c8b2ee7..dda96f8 100644
--- a/fender.m4
+++ b/fender.m4
@@ -37,5 +37,30 @@ ntpclient inbound $ntp_servers
 run iptables -I INPUT -d 212.13.198.78 -j DROP
 run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP
 
+## Ethernet bridge-level filtering for source addresses.
+run ebtables -F
+for c in bad-source-addr check-eth0; do
+  run ebtables -X $c >/dev/null 2>&1 || :
+done
+for i in log limit ip ip6; do run modprobe ebt-$i; done
+run ebtables -N bad-source-addr
+run ebtables -A bad-source-addr \
+	--limit 20/second --limit-burst 100 \
+	--log-prefix "fw: bad-source-addr(br) " --log-ip --log-ip6
+run ebtables -A bad-source-addr -j DROP
+run ebtables -N check-eth0
+run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28
+run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1
+run ebtables -A check-eth0 -j bad-source-addr \
+	-p ip6 --ip6-source 2001:ba8:1d9::/48
+run ebtables -A check-eth0 -j bad-source-addr \
+	-p ip6 --ip6-source 2001:ba8:0:1d9::/64
+run ebtables -A check-eth0 -j RETURN -p ip6
+run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30
+run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68
+run ebtables -A check-eth0 -j bad-source-addr -p ip
+run ebtables -A INPUT -j check-eth0 -i bond0
+run ebtables -A FORWARD -j check-eth0 -i bond0
+
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------
-- 
2.11.0