Firewalls: Difference between revisions
→iptables: add more more comments |
|||
| Line 23: | Line 23: | ||
# THIS PREVENTS A GENERAL LOOP | # THIS PREVENTS A GENERAL LOOP | ||
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP | iptables -I FORWARD -i tunl0 -o tunl0 -j DROP | ||
# DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38) | |||
iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP | iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP | ||
# DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP | |||
iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP | iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP | ||
# DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP | # DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP | ||
# YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS | # YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38) | ||
iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP | iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP | ||
############################################################ | ############################################################ | ||
Revision as of 11:47, 18 October 2016
Welcome to the Firewall Wiki.
NOTE: This page is intended to be edited by the community to add use practices, command syntax, etc. regarding firewalling and security on AMPRNet nodes. While each operator is ultimately responsible for the administration of their node, it is highly suggested amongst the 44 Community that nodes be firewalled.
NOTE: On an iptables-based firewall, you must enable connection tracking on the tunl0 interface in order to enable Stateful Packet Inspection (i.e. a stateful firewall). Since the IPENCAP Linux Kernel Module IPIP is in the kernel, you must set the default forwarding policy to DROP or REJECT. If you set your default routing policy to ACCEPT, all packets that have not been explicitly DROPped or REJECTed elsewhere, will route, regardless of firewall policies.
iptables
To enable input of IPENCAP (IP Protocol Number 4)
iptables -t filter -I INPUT -p 4 -i <INTERFACE OF YOUR WAN> -j ACCEPT
To enable receipt of RIP44
iptables -t filter -I INPUT -p udp -s 44.0.0.1 --sport 520 -d 224.0.0.9 --dport 520 -i tunl0 -j ACCEPT
############################################################ # DROPS IP TRAFFIC THAT'S INVALID ENTERING OR EXITING AMPR # THIS PREVENTS A GENERAL LOOP iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # DROPS OUTBOUND IPs NOT FROM YOUR ALLOCATION (BCP 38) iptables -t raw -I PREROUTING ! -s 44.xxx.xxx.xxx/xx -i br-amprnet -j DROP # DROPS ROGUE INBOUND ASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP iptables -t raw -I PREROUTING -s 44.xxx.xxx.xxx/xx -i tunl0 -j DROP # DROPS OUTBOUND UNASSIGNED IPs FROM LOOPING THROUGH tunl0 VIA IPENCAP # YOU MUST ADD A RULE UNDER THIS LINE TO MAKE EXCEPTIONS (BCP 38) iptables -I FORWARD ! -s 44.xxx.xxx.xxx/xx -o tunl0 -j DROP ############################################################ # DROPS BOGONS ENTERING AMPRNet # SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP