From 01a61ef2fe49d58467956ab4d4e3c2b3bb75ed4f Mon Sep 17 00:00:00 2001 From: Matthias Blankertz Date: Tue, 29 Apr 2014 11:18:07 +0200 Subject: [PATCH] Proper IP ranges/networks for Uninetz --- overlay/etc/firewall.sh | 21 +++++++++------------ overlay/etc/openvpn/vpn.conf | 1 + 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/overlay/etc/firewall.sh b/overlay/etc/firewall.sh index e9a4658..c275a46 100755 --- a/overlay/etc/firewall.sh +++ b/overlay/etc/firewall.sh @@ -40,18 +40,15 @@ iptables -A INPUT -i $LANIF -d $LOOP -j DROP iptables -A FORWARD -i $LANIF -d $LOOP -j DROP # Anything coming from the Network should have a real Internet address, -# or a known "Uninetz" private address (172.20.0.0/16) +# or a known "Uninetz" private address (172.16.0.0/12) -iptables -N Antispoof_172 -iptables -A FORWARD -i $LANIF -s 192.168.0.0/16 -j DROP -iptables -A FORWARD -i $LANIF -s 172.16.0.0/12 -j Antispoof_172 -iptables -A FORWARD -i $LANIF -s 10.0.0.0/8 -j DROP -iptables -A INPUT -i $LANIF -s 192.168.0.0/16 -j DROP -iptables -A INPUT -i $LANIF -s 172.16.0.0/12 -j Antispoof_172 -iptables -A INPUT -i $LANIF -s 10.0.0.0/8 -j DROP -iptables -A Antispoof_172 -i $LANIF -s 172.20.0.0/16 -j RETURN -iptables -A Antispoof_172 -j LOG --log-prefix "ANTISPOOFIN " -iptables -A Antispoof_172 -j DROP +iptables -N Antispoof +iptables -A FORWARD -i $LANIF -s 192.168.0.0/16 -j Antispoof +iptables -A FORWARD -i $LANIF -s 10.0.0.0/8 -j Antispoof +iptables -A INPUT -i $LANIF -s 192.168.0.0/16 -j Antispoof +iptables -A INPUT -i $LANIF -s 10.0.0.0/8 -j Antispoof +iptables -A Antispoof -j LOG --log-prefix "ANTISPOOFIN " +iptables -A Antispoof -j DROP # Block outgoing NetBios (if you have windows machines running # on the private subnet). This will not affect any NetBios @@ -91,7 +88,7 @@ iptables -A FORWARD -p icmp --icmp-type 11/1 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 0/0 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 3 -j ACCEPT -# Allow services such as ssh (can be disabled) +# Allow services such as ssh iptables -A INPUT -p tcp --dport ssh -j ACCEPT -m state --state NEW iptables -A INPUT -p udp --dport 1194 -j ACCEPT -m state --state NEW diff --git a/overlay/etc/openvpn/vpn.conf b/overlay/etc/openvpn/vpn.conf index b080ddd..0e7b70d 100644 --- a/overlay/etc/openvpn/vpn.conf +++ b/overlay/etc/openvpn/vpn.conf @@ -135,6 +135,7 @@ ifconfig-pool-persist ipp.txt # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. push "route 172.20.0.0 255.255.0.0" +push "route 172.19.0.0 255.255.0.0" ;push "route 192.168.20.0 255.255.255.0" # To assign specific IP addresses to specific