Firewalls: Difference between revisions

From 44Net Wiki
Jump to navigation Jump to search
Kb3vwg (talk | contribs)
Created page with "Welcome to the Firewall Wiki. NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRN..."
 
Kb3vwg (talk | contribs)
Line 14: Line 14:
  # DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
  # DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
  # YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS
  # YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS
  iptables -I FORWARD ! -s 44.xxx.xxx.xxx2xx -o tunl0 -j DROP
  iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
  ############################################################
  ############################################################
  # DROPS BOGONS ENTERING AMPRNet
  # DROPS BOGONS ENTERING AMPRNet
Line 32: Line 32:
  iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
  iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
  iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
  iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP


== Cisco ==
== Cisco ==

Revision as of 23:53, 22 August 2016

Welcome to the Firewall Wiki.

NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the 44 Community that nodes be firewalled.


iptables

############################################################
# DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR
# THIS PREVENTS A GENERAL LOOP
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP
############################################################
# DROPS BOGONS ENTERING AMPRNet
# SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP
iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP

Cisco

Microtik