Block RFC1918 and APIPA destination via eth0

2015-12-25 21:52:39 +01:00 · 2015-12-25 21:52:39 +01:00 · 8c1c6ffeb3
commit 8c1c6ffeb3
parent a388307c6d
2 changed files with 7 additions and 2 deletions
--- a/files/sn_startup.sh.j2
+++ b/files/sn_startup.sh.j2
@ -13,6 +13,11 @@ curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted",
 #    sleep 5
 #done

+# Block RFC1918 and APIPA destination via WAN
+/sbin/iptables -P OUTPUT ACCEPT
+for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do
+/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP
+done

 # Activate IP forwarding
 /sbin/sysctl -w net.ipv6.conf.all.forwarding=1
@ -33,7 +38,7 @@ curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted",
 /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

 # Allow MAC address spoofing
-#/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
+/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0

 # Set gateway for table 200
 #/bin/ip route replace default via {{ sn_iffy_traffic }} table iffy
--- a/install.sn.yml
+++ b/install.sn.yml
@ -9,7 +9,7 @@
  user: root
  gather_facts: False
  vars:
-    snversion: master_v1.9.0
+    snversion: master_v1.9.1
    batmanversion: v2015.2
    common_required_packages:
      - git