Update interfaces-troisdorf6

Add masquarade, RFC1918 & RFC 4193 blocking
2016-05-06 12:55:50 +02:00 · 2016-05-06 12:55:50 +02:00 · b8812b635e
commit b8812b635e
parent 9926571fd2
1 changed files with 24 additions and 1 deletions
--- a/files/interfaces-troisdorf6
+++ b/files/interfaces-troisdorf6
@ -20,11 +20,19 @@ iface eth0 inet static
        netmask 255.255.255.192
        gateway 46.4.138.129
        dns-nameserver 213.133.100.100 213.133.99.99 213.133.98.98
+        post-up iptables -P OUTPUT ACCEPT
+        post-up iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP
+        post-up iptables -A OUTPUT -o eth0 -d 172.16.0.0/12 -j DROP
+        post-up iptables -A OUTPUT -o eth0 -d 169.254.0.0/16 -j DROP
+        post-up iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP
+        post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

 iface eth0 inet6 static
        address 2a01:4f8:11d:600::189
        netmask 59
        gateway 2a01:4f8:11d:600::1
+        post-up ip6tables -P OUTPUT ACCEPT
+        post-up ip6tables -A OUTPUT -o eth0 -d fc00::/7 -j DROP

 # GRE Tunnel zum Rheinland Backbone
 # - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen
@ -35,11 +43,15 @@ iface gre-bb-a.ak.ber inet static
        address 100.64.2.159
        netmask 255.255.255.254
        pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.195.0 ttl 255
+        post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
+        post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
        post-up ip link set $IFACE mtu 1400
+        post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
        post-down ip tunnel del $IFACE

 iface gre-bb-a.ak.ber inet6 static
        address 2a03:2260:0:159::2/64
+        post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
        netmask 64

 # Berlin Router B
@ -48,11 +60,15 @@ iface gre-bb-b.ak.ber inet static
        address 100.64.2.161
        netmask 255.255.255.254
        pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.195.1 ttl 255
+        post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
+        post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
        post-up ip link set $IFACE mtu 1400
+        post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
        post-down ip tunnel del $IFACE

 iface gre-bb-b.ak.ber inet6 static
        address 2a03:2260:0:15a::2/64
+        post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
        netmask 64


@ -62,12 +78,16 @@ iface gre-bb-a.ix.dus inet static
        address 100.64.2.163
        netmask 255.255.255.254
        pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.193.0 ttl 255
+        post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
+        post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
        post-up ip link set $IFACE mtu 1400
+        post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
        post-down ip tunnel del $IFACE

 iface gre-bb-a.ix.dus inet6 static
        address 2a03:2260:0:15b::2/64
        netmask 64
+        post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312


 # Duesseldorf Router B
@ -76,10 +96,13 @@ iface gre-bb-b.ix.dus inet static
        address 100.64.2.165
        netmask 255.255.255.254
        pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.193.1 ttl 255
+        post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
+        post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
        post-up ip link set $IFACE mtu 1400
+        post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
        post-down ip tunnel del $IFACE

 iface gre-bb-b.ix.dus inet6 static
        address 2a03:2260:0:15c::2/64
        netmask 64
-
+        post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312