From 8c1c6ffeb3dcdbf9217c2120df74adc8494f88ec Mon Sep 17 00:00:00 2001
From: Ansible Admin <roman@katrincak.de>
Date: Fri, 25 Dec 2015 21:52:39 +0100
Subject: [PATCH] Block RFC1918 and APIPA destination via eth0

---
 files/sn_startup.sh.j2 | 7 ++++++-
 install.sn.yml         | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/files/sn_startup.sh.j2 b/files/sn_startup.sh.j2
index 23a3eef..8fbf7e7 100644
--- a/files/sn_startup.sh.j2
+++ b/files/sn_startup.sh.j2
@@ -13,6 +13,11 @@ curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted",
 #    sleep 5
 #done
 
+# Block RFC1918 and APIPA destination via WAN
+/sbin/iptables -P OUTPUT ACCEPT
+for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do
+/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP
+done
 
 # Activate IP forwarding
 /sbin/sysctl -w net.ipv6.conf.all.forwarding=1
@@ -33,7 +38,7 @@ curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted",
 /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
 # Allow MAC address spoofing
-#/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
+/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
 
 # Set gateway for table 200
 #/bin/ip route replace default via {{ sn_iffy_traffic }} table iffy
diff --git a/install.sn.yml b/install.sn.yml
index c365aaf..a043eb2 100644
--- a/install.sn.yml
+++ b/install.sn.yml
@@ -9,7 +9,7 @@
   user: root
   gather_facts: False
   vars:
-    snversion: master_v1.9.0
+    snversion: master_v1.9.1
     batmanversion: v2015.2
     common_required_packages:
       - git