Commit 575a060b authored by glucas's avatar glucas

Add BCP38-related configurations and scripts.

parent b92d25a1
#!/bin/sh
# Copyright (C) 2015-2016 Alsace Réseau Neutre
#
# Heavily based on iptables-persistent program.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Debian GNU/Linux: store this in /usr/share/netfilter-persistent/plugins.d/
set -e
load_sets()
{
if [ ! -f /etc/iptables/ipsets ]; then
echo "Warning: no ipsets to load"
else
ipset -exist restore < /etc/iptables/ipsets 2> /dev/null
fi
}
save_sets()
{
touch /etc/iptables/ipsets
chmod 0640 /etc/iptables/ipsets
ipset save > /etc/iptables/ipsets
}
flush_sets()
{
ipset -X
}
case "$1" in
start)
load_sets || exit 1
;;
save)
save_sets || exit 1
;;
stop)
# Why? because if stop is used, the firewall gets flushed for a variable
# amount of time during package upgrades, leaving the machine vulnerable
# It's also not always desirable to flush during purge
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
;;
restart|reload|force-reload)
flush_sets || exit 1
load_sets || exit 1
;;
flush)
flush_sets || exit 1
;;
*)
echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
exit 1
;;
esac
exit 0
For explanations and how-to, see https://wiki.arn-fai.net/technique:bcp38 (in french, sorry).
create bcp38 hash:net,iface family inet hashsize 1024 maxelem 65536
add bcp38 89.234.141.0/24,cogent
add bcp38 89.234.141.0/24,interoute
add bcp38 89.234.141.0/24,grifon
create bcp38v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536
add bcp38v6 2a00:5881:8100::/40,cogent
add bcp38v6 2a00:5881:8100::/40,interoute
add bcp38v6 2a00:5881:8100::/40,grifon
# Generated by iptables-save v1.4.21 on Tue Mar 22 17:08:44 2016
*raw
:PREROUTING ACCEPT [99502:98147923]
:OUTPUT ACCEPT [10842:4791807]
-A PREROUTING -i tap+ -m rpfilter --invert -m comment --comment "BCP38 VPS" -j DROP
-A PREROUTING -i h-+ -m rpfilter --invert -m comment --comment "BCP38 housing" -j DROP
COMMIT
# Completed on Tue Mar 22 17:08:44 2016
# Generated by iptables-save v1.4.21 on Tue Mar 22 17:08:44 2016
*filter
:INPUT DROP [10926:54106767]
:FORWARD ACCEPT [86743:43774135]
:OUTPUT ACCEPT [10842:4791807]
-A INPUT -m set --match-set bcp38 src,src -m comment --comment "DROP OUR ALLOC FROM TRANSIT" -j DROP
-A FORWARD -m set --match-set bcp38 src,src -m comment --comment "DROP OUR ALLOC FROM TRANSIT" -j DROP
COMMIT
# Completed on Tue Mar 22 17:08:44 2016
# Generated by iptables-save v1.4.21 on Tue Mar 22 17:08:44 2016
*nat
:PREROUTING ACCEPT [8982:1017131]
:INPUT ACCEPT [21:6766]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [8386:986587]
COMMIT
# Completed on Tue Mar 22 17:08:44 2016
# Generated by ip6tables-save v1.4.21 on Tue Mar 22 17:08:44 2016
*raw
:PREROUTING ACCEPT [4453:1772359]
:OUTPUT ACCEPT [634:84041]
-A PREROUTING -i tap+ -m rpfilter --invert -m comment --comment "BCP38 VPS" -j DROP
-A PREROUTING -i h-+ -m rpfilter --invert -m comment --comment "BCP38 housing" -j DROP
COMMIT
# Completed on Tue Mar 22 17:08:44 2016
# Generated by ip6tables-save v1.4.21 on Tue Mar 22 17:08:44 2016
*filter
:INPUT DROP [854:109492]
:FORWARD ACCEPT [3474:1644577]
:OUTPUT ACCEPT [634:84041]
-A INPUT -m set --match-set bcp38v6 src,src -m comment --comment "DROP OUR ALLOC FROM TRANSIT" -j DROP
-A FORWARD -m set --match-set bcp38v6 src,src -m comment --comment "DROP OUR ALLOC FROM TRANSIT" -j DROP
# Completed on Tue Mar 22 17:08:44 2016
#!/bin/sh
# This file is part of netfilter-persistent
# Copyright (C) 2014 Jonathan Wiltshire
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, either version 3
# of the License, or (at your option) any later version.
# Modified by Alsace Réseau Neutre in 2015.
# Debian GNU/Linux: store this in /usr/sbin/netfilter-persistent
set -e
IAM=$(whoami)
PLUGINS=/usr/share/netfilter-persistent/plugins.d
FLUSH_ON_STOP=0
if [ ${IAM} != "root" ]; then
echo "You must be root to use this utility"
fi
# Source configuration
if [ -f "/etc/default/netfilter-persistent" ]; then
. /etc/default/netfilter-persistent
fi
run_plugins_start () {
if [ -d ${PLUGINS} ]; then
run-parts -v -a ${1} ${PLUGINS}
fi
}
run_plugins_stop () {
if [ -d ${PLUGINS} ]; then
run-parts --reverse -v -a ${1} ${PLUGINS}
fi
}
case $1 in
start|save)
run_plugins_start ${1}
;;
restart|reload|force-reload)
run_plugins_stop flush
run_plugins_start start
;;
stop)
if [ ${FLUSH_ON_STOP} -gt 0 ]; then
run_plugins_stop flush
else
echo "Automatic flush disabled; use '${0} flush'"
exit 1
fi
;;
flush)
run_plugins_stop flush
;;
*)
echo "Usage: ${0} (start|stop|restart|reload|flush|save)"
;;
esac
exit 0
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment