Firewalls: Difference between revisions
Line 73: | Line 73: | ||
'''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command]. | '''REQUIRED: [[ampr-ripd]] (using the -x and -d arguments), the diff command from the [http://www.gnu.org/software/diffutils/manual/diffutils.html diffutils package] and the [https://www.gnu.org/software/sed/manual/sed.html sed command]. | ||
# load | # load ipipfilter list rule | ||
iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ipipfilter | iptables -t filter -I INPUT -p 4 -i '''<INTERFACE OF YOUR WAN>''' -j ipipfilter | ||
Revision as of 15:03, 20 October 2016
Welcome to the Firewall Wiki.
NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the 44Net mailing list Community that nodes be firewalled.
NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, you must set the default forwarding policy to DROP or REJECT. If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.
Cisco
DD-WRT
DD-WRT uses an iptables-based firewall (see iptables below). Custom rules can be entered at Administration > Commands > "Save Firewall"
https://www.dd-wrt.com/wiki/index.php/Iptables
https://www.dd-wrt.com/wiki/index.php/Firewall
D-Link
On some D-Link devices, the port forwarding feature allows for the options: TCP, UDP and Other. The "Other" option on these models are capable of Destination NAT of IPENCAP packets.
To enable input of IPENCAP (IP Protocol Number 4) Note: this rule is required for other AMPR nodes to initiate inbound traffic to your node.
In Port Forwarding
# Create a new Port Forward # Enter the LAN IP of your AMPR node # Select "Other" # Type the number 4 into the field
iptables
############################################################ # DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR # THIS PREVENTS A GENERAL LOOP iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38) iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP # DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP # DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP # YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38) iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP ############################################################ # DROPS BOGONS ENTERING AMPRNet # SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP ############################################################ # THIS PREVENTS NESTED IPENCAP (BCP 38) iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP
Dynamic IPENCAP Filtering of AMPR Nodes
To enable dynamic filtering of IPENCAP (IP Protocol Number 4)
Note: this rule (or the static rule below) is required for other AMPR nodes to initiate inbound traffic to your node.
REQUIRED: ampr-ripd (using the -x and -d arguments), the diff command from the diffutils package and the sed command.
# load ipipfilter list rule iptables -t filter -I INPUT -p 4 -i <INTERFACE OF YOUR WAN> -j ipipfilter
#!/bin/sh # load encap.txt into ipipfilter list # by Rob, PE1CHL # load_ipipfilter.sh PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" AMPRGW="169.228.66.251" gwfile="/tmp/gw" cd /var/lib/ampr-ripd || exit 1 grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile if iptables -N ipipfilter 2>/dev/null then iptables -F ipipfilter iptables -A ipipfilter -s $AMPRGW -j ACCEPT while read ip do iptables -A ipipfilter -s $ip -j ACCEPT done <$gwfile iptables -A ipipfilter -j DROP else iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \ sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \ while read d ip do case "$d" in ">") iptables -I ipipfilter -s $ip -j ACCEPT ;; "<") iptables -D ipipfilter -s $ip -j ACCEPT ;; *) ;; esac done fi rm -f $gwfile
Static IPENCAP Filtering of AMPR Nodes
To enable input of IPENCAP (IP Protocol Number 4)
Note: this rule (or the dynamic rule above) is required for other AMPR nodes to initiate inbound traffic to your node.
iptables -t filter -I INPUT -p 4 -i <INTERFACE OF YOUR WAN> -j ACCEPT
If your AMPR node is downstream, you will create an INPUT and DNAT forward rule to the destination LAN IP of your AMPR node.
To enable receipt of RIP44
iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT
Microtik
OpenWRT
See: iptables (above) and the Instructions for setting up a gateway on OpenWRT.
iptables-based rules can be entered in Network > Firewall > Custom Firewall on the LuCI web interface; or via the command prompt via UCI.