matthias/panda_linux
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Proper IP ranges/networks for Uninetz

Browse Source
This commit is contained in:
Matthias Blankertz
2014-04-29 11:18:07 +02:00
parent 84e7c1a05e
commit 01a61ef2fe
2 changed files with 10 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
overlay/etc/firewall.sh
View File

@@ -40,18 +40,15 @@ iptables -A INPUT -i $LANIF -d $LOOP -j DROP
iptables -A FORWARD -i $LANIF -d $LOOP -j DROP
# Anything coming from the Network should have a real Internet address,
# or a known "Uninetz" private address (172.20.0.0/16)
# or a known "Uninetz" private address (172.16.0.0/12)
iptables -N Antispoof_172
iptables -A FORWARD -i $LANIF -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i $LANIF -s 172.16.0.0/12 -j Antispoof_172
iptables -A FORWARD -i $LANIF -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $LANIF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $LANIF -s 172.16.0.0/12 -j Antispoof_172
iptables -A INPUT -i $LANIF -s 10.0.0.0/8 -j DROP
iptables -A Antispoof_172 -i $LANIF -s 172.20.0.0/16 -j RETURN
iptables -A Antispoof_172 -j LOG --log-prefix "ANTISPOOFIN "
iptables -A Antispoof_172 -j DROP
iptables -N Antispoof
iptables -A FORWARD -i $LANIF -s 192.168.0.0/16 -j Antispoof
iptables -A FORWARD -i $LANIF -s 10.0.0.0/8 -j Antispoof
iptables -A INPUT -i $LANIF -s 192.168.0.0/16 -j Antispoof
iptables -A INPUT -i $LANIF -s 10.0.0.0/8 -j Antispoof
iptables -A Antispoof -j LOG --log-prefix "ANTISPOOFIN "
iptables -A Antispoof -j DROP
# Block outgoing NetBios (if you have windows machines running
# on the private subnet). This will not affect any NetBios
@@ -91,7 +88,7 @@ iptables -A FORWARD -p icmp --icmp-type 11/1 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 0/0 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 3 -j ACCEPT
# Allow services such as ssh (can be disabled)
# Allow services such as ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT -m state --state NEW
iptables -A INPUT -p udp --dport 1194 -j ACCEPT -m state --state NEW

1
overlay/etc/openvpn/vpn.conf
View File

@@ -135,6 +135,7 @@ ifconfig-pool-persist ipp.txt
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 172.20.0.0 255.255.0.0"
push "route 172.19.0.0 255.255.0.0"
;push "route 192.168.20.0 255.255.255.0"
# To assign specific IP addresses to specific