matthias/panda_linux
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

IPv6 support

Browse Source
This commit is contained in:
Matthias Blankertz
2014-04-05 17:02:38 +02:00
parent 0dd4884522
commit 7fba64b5f5
5 changed files with 123 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
linux-3.12.16.config
View File

@@ -1,4 +1,3 @@
# CONFIG_64BIT is not set
# CONFIG_LOCALVERSION_AUTO is not set # CONFIG_LOCALVERSION_AUTO is not set
CONFIG_DEFAULT_HOSTNAME="panda" CONFIG_DEFAULT_HOSTNAME="panda"
CONFIG_SYSVIPC=y CONFIG_SYSVIPC=y
@@ -100,7 +99,37 @@ CONFIG_INET6_ESP=y
CONFIG_NETLABEL=y CONFIG_NETLABEL=y
CONFIG_NETWORK_SECMARK=y CONFIG_NETWORK_SECMARK=y
CONFIG_NETFILTER=y CONFIG_NETFILTER=y
# CONFIG_NETFILTER_ADVANCED is not set CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_IRC=y
CONFIG_NF_CONNTRACK_SIP=y
CONFIG_NF_CT_NETLINK=y
CONFIG_NETFILTER_XT_MARK=y
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
CONFIG_NETFILTER_XT_TARGET_LOG=y
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
CONFIG_NETFILTER_XT_TARGET_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
CONFIG_NETFILTER_XT_MATCH_POLICY=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_NF_NAT_IPV4=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_MANGLE=y
CONFIG_NF_CONNTRACK_IPV6=y
CONFIG_IP6_NF_IPTABLES=y
CONFIG_IP6_NF_MATCH_IPV6HEADER=y
CONFIG_IP6_NF_MATCH_RT=y
CONFIG_IP6_NF_FILTER=y
CONFIG_IP6_NF_TARGET_REJECT=y
CONFIG_IP6_NF_MANGLE=y
CONFIG_NET_SCHED=y CONFIG_NET_SCHED=y
CONFIG_NET_EMATCH=y CONFIG_NET_EMATCH=y
CONFIG_NET_CLS_ACT=y CONFIG_NET_CLS_ACT=y

3
openvpn-test/client.conf
View File

@@ -33,13 +33,14 @@ dev tun
# Are we connecting to a TCP or # Are we connecting to a TCP or
# UDP server? Use the same setting as # UDP server? Use the same setting as
# on the server. # on the server.
proto tcp proto tcp-client
;proto udp ;proto udp
# The hostname/IP and port of the server. # The hostname/IP and port of the server.
# You can have multiple remote entries # You can have multiple remote entries
# to load balance between the servers. # to load balance between the servers.
remote 172.20.117.221 1194 remote 172.20.117.221 1194
;remote 2001:7c0:409:8001::2 1194
;remote my-server-2 1194 ;remote my-server-2 1194
# Choose a random host from the remote # Choose a random host from the remote

89
overlay/etc/firewall.sh
View File

@@ -18,7 +18,15 @@ LOOP=127.0.0.1
iptables -P OUTPUT DROP iptables -P OUTPUT DROP
iptables -P INPUT DROP iptables -P INPUT DROP
iptables -P FORWARD DROP iptables -P FORWARD DROP
iptables -F
cat /proc/net/ip_tables_names | while read table; do
iptables -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
iptables -t $table -F $chain
fi
done
iptables -t $table -X
done
# Set default policies # Set default policies
iptables -P OUTPUT ACCEPT iptables -P OUTPUT ACCEPT
@@ -33,6 +41,7 @@ iptables -A FORWARD -i $LANIF -d $LOOP -j DROP
# Anything coming from the Network should have a real Internet address, # Anything coming from the Network should have a real Internet address,
# or a known "Uninetz" private address (172.20.0.0/16) # or a known "Uninetz" private address (172.20.0.0/16)
iptables -N Antispoof_172 iptables -N Antispoof_172
iptables -A FORWARD -i $LANIF -s 192.168.0.0/16 -j DROP iptables -A FORWARD -i $LANIF -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i $LANIF -s 172.16.0.0/12 -j Antispoof_172 iptables -A FORWARD -i $LANIF -s 172.16.0.0/12 -j Antispoof_172
@@ -116,3 +125,81 @@ iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s $PRIVATE -o $LANIF -j MASQUERADE iptables -t nat -A POSTROUTING -s $PRIVATE -o $LANIF -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_forward
## Setup IPv6
IP6PRIVATE=2001:7c0:409:8001::/64
IP6LANIP=2001:7c0:409:8001::2
# Delete old iptables rules
# and temporarily block all traffic.
ip6tables -P OUTPUT DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
cat /proc/net/ip6_tables_names | while read table; do
ip6tables -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
ip6tables -t $table -F $chain
fi
done
ip6tables -t $table -X
done
# Set default policies
ip6tables -P OUTPUT ACCEPT
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
# Loopback
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Source spoof filtering from us
ip6tables -N SSOutFilterLAN
ip6tables -A OUTPUT -o $LANIF -j SSOutFilterLAN
ip6tables -A FORWARD -o $LANIF -j SSOutFilterLAN
ip6tables -A SSOutFilterLAN -s $IP6LANIP -j RETURN
ip6tables -A SSOutFilterLAN -s fe80::/10 -j RETURN
ip6tables -A SSOutFilterLAN -j LOG --log-prefix "SOURCESPOOFOUT6 "
ip6tables -A SSOutFilterLAN -j DROP
# Source spoof filtering to us
ip6tables -N SSInFilterLAN
ip6tables -A INPUT -i $LANIF -s $IP6LANIP -j SSInFilterLAN
ip6tables -A SSInFilterLAN -j LOG --log-prefix "SOURCESPOOFIN6 "
ip6tables -A SSInFilterLAN -j DROP
# Route errors
ip6tables -N REOutFilterLAN
ip6tables -A OUTPUT -o $LANIF -d $IP6LANIP -j REOutFilterLAN
ip6tables -A FORWARD -o $LANIF -d $IP6LANIP -j REOutFilterLAN
ip6tables -A REOutFilterLAN -j LOG --log-prefix "ROUTEERR6 "
ip6tables -A REOutFilterLAN -j DROP
# State tracking
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow ssh and openvpn access
ip6tables -A INPUT -i $LANIF -d $IP6LANIP -p tcp -m multiport --dports ssh,1194 -m state --state NEW -j ACCEPT
# Allow useful ICMPv6
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 3/0 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 3/1 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -m state --state NEW -j ACCEPT
# Allow ARPv6
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j ACCEPT
ip6tables -A INPUT -i $LANIF -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j ACCEPT
ip6tables -A INPUT -j LOG --log-prefix "CATCHALL6 "
ip6tables -A FORWARD -j LOG --log-prefix "CATCHALL6 "

2
overlay/etc/openvpn/vpn.conf
View File

@@ -32,7 +32,7 @@
port 1194 port 1194
# TCP or UDP server? # TCP or UDP server?
proto tcp proto tcp6-server
;proto udp ;proto udp
# "dev tun" will create a routed IP tunnel, # "dev tun" will create a routed IP tunnel,

1
overlay/home/matthias/.ssh/authorized_keys Normal file
View File

@@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgvPpPNe3SxVtXWeyWE/cB+ME+8q8goWQLDnGfjtEFdStL/2d39yyiqEvE1ystjfrdrhd6xcwYntAAiX/8LsV9kGOGx2QMxiAaKNboEJKFwPqeOQLYY69DDq3n4VQaNlMMNzsqSTDuaS/Gl4WZqvpYQ4wJaS3Ln95ec0zFLyUWyyh3uaw7iv/iJUX9NLlCTbuEtrhswnHyYK7x1g9LWBAtBER0QLAIU1CO/VCeRmfgKf0OIzdKiBw2lgVAwpme/LPh7SAQhQoRcQdkBCZH/Wl9K0Bp/it6BwSYaHVChEaN7BIOrD2kGNAfQn+KSfmCua1OP3OAQvtsZyCSeor1Y05/ matthias@pc