From b8812b635eac78c9e61c13380c18b1ac0e0e5f11 Mon Sep 17 00:00:00 2001 From: rojoka Date: Fri, 6 May 2016 12:55:50 +0200 Subject: [PATCH] Update interfaces-troisdorf6 Add masquarade, RFC1918 & RFC 4193 blocking --- files/interfaces-troisdorf6 | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/files/interfaces-troisdorf6 b/files/interfaces-troisdorf6 index a423081..9b12f50 100644 --- a/files/interfaces-troisdorf6 +++ b/files/interfaces-troisdorf6 @@ -20,11 +20,19 @@ iface eth0 inet static netmask 255.255.255.192 gateway 46.4.138.129 dns-nameserver 213.133.100.100 213.133.99.99 213.133.98.98 + post-up iptables -P OUTPUT ACCEPT + post-up iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP + post-up iptables -A OUTPUT -o eth0 -d 172.16.0.0/12 -j DROP + post-up iptables -A OUTPUT -o eth0 -d 169.254.0.0/16 -j DROP + post-up iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP + post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iface eth0 inet6 static address 2a01:4f8:11d:600::189 netmask 59 gateway 2a01:4f8:11d:600::1 + post-up ip6tables -P OUTPUT ACCEPT + post-up ip6tables -A OUTPUT -o eth0 -d fc00::/7 -j DROP # GRE Tunnel zum Rheinland Backbone # - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen @@ -35,11 +43,15 @@ iface gre-bb-a.ak.ber inet static address 100.64.2.159 netmask 255.255.255.254 pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.195.0 ttl 255 + post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106 + post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 post-up ip link set $IFACE mtu 1400 + post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106 post-down ip tunnel del $IFACE iface gre-bb-a.ak.ber inet6 static address 2a03:2260:0:159::2/64 + post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 netmask 64 # Berlin Router B @@ -48,11 +60,15 @@ iface gre-bb-b.ak.ber inet static address 100.64.2.161 netmask 255.255.255.254 pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.195.1 ttl 255 + post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106 + post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 post-up ip link set $IFACE mtu 1400 + post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106 post-down ip tunnel del $IFACE iface gre-bb-b.ak.ber inet6 static address 2a03:2260:0:15a::2/64 + post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 netmask 64 @@ -62,12 +78,16 @@ iface gre-bb-a.ix.dus inet static address 100.64.2.163 netmask 255.255.255.254 pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.193.0 ttl 255 + post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106 + post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 post-up ip link set $IFACE mtu 1400 + post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106 post-down ip tunnel del $IFACE iface gre-bb-a.ix.dus inet6 static address 2a03:2260:0:15b::2/64 netmask 64 + post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 # Duesseldorf Router B @@ -76,10 +96,13 @@ iface gre-bb-b.ix.dus inet static address 100.64.2.165 netmask 255.255.255.254 pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.193.1 ttl 255 + post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106 + post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 post-up ip link set $IFACE mtu 1400 + post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106 post-down ip tunnel del $IFACE iface gre-bb-b.ix.dus inet6 static address 2a03:2260:0:15c::2/64 netmask 64 - + post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312