jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

adding ipv6 tunnel to strongswan and matching firewall rules

This commit is contained in:
toby 2018-09-17 21:28:02 +02:00
parent 05cb6ef35f
commit 37c69ab507
3 changed files with 29 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debian/control vendored
View File

@ -9,7 +9,7 @@ Vcs-Git: https://git.wit.com/netops/wit-network-config
Package: wit-network-config
Architecture: all
Depends: systemd, sed, tcpdump, mtr-tiny, iproute2, ifupdown, ipmitool, iptables, lldpd, strongswan, telnet, netcat, fping, curl, wget, ifstat, rsyslog, ncurses-term, net-tools, bridge-utils, vlan, gnupg, sudo, isc-dhcp-client, bind9-host, dnsutils, frr (>= 5.0.1-wit), frr (<< 5.0.2-wit)
Depends: systemd, sed, tcpdump, mtr-tiny, iproute2, ifupdown, ipmitool, iptables, lldpd, strongswan, telnet, netcat, fping, curl, wget, ifstat, rsyslog, ncurses-term, net-tools, bridge-utils, vlan, gnupg, sudo, isc-dhcp-client, bind9-host, dnsutils, libstrongswan-extra-plugins, frr (>= 5.0.1-wit), frr (<< 5.0.2-wit)
Provides: ${diverted-files}
Conflicts: ${diverted-files}, dhcpcd5
Description: configure network for a standard wit compute and/or data node

22
files/firewall
View File

@ -47,16 +47,20 @@ case $1 in
#### IPv6
ip6tables -P INPUT ACCEPT
ip6tables -F INPUT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT # ping
ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p udp --sport 53 -j ACCEPT # dns
ip6tables -A INPUT -s 2001:67c:1560:8003::c7 -p udp --sport 123 -j ACCEPT # ntp
ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp
ip6tables -A INPUT -s fe80::/10 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
ip6tables -A INPUT -s fe80::/10 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
#unencrypted traffic
ip6tables -A INPUT -p esp -j ACCEPT # ipsec
ip6tables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec
ip6tables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT # ping
ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p udp --sport 53 -j ACCEPT # dns
ip6tables -A INPUT -s 2001:67c:1560:8003::c7 -p udp --sport 123 -j ACCEPT # ntp
ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp
ip6tables -A INPUT -s fe80::/10 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
ip6tables -A INPUT -s fe80::/10 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
### mgmt
ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why this needs the physical interface instead of the vrf
ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT # allow ssh from mgmt
ip6tables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT # allow stateful connections over mgmt
ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why this needs the physical interface instead of the vrf
ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT # allow ssh from mgmt
ip6tables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT # allow stateful connections over mgmt
### DROP the rest
ip6tables -P INPUT DROP

22
files/ipsec.conf.wit
View File

@ -19,14 +19,22 @@ conn %default
keyexchange=ikev1
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
conn loopbacks
auto=route
leftsubnet=10.1.0.0/16
rightsubnet=10.1.0.0/16
right=%any
leftcert=FQHOSTNAME.crt
leftid="C=US, O=Wit, CN=FQHOSTNAME"
rightid="C=US, O=Wit, CN=*"
auto=route
conn loopback4
leftsourceip=%config4
leftsubnet=10.1.0.0/16
rightsubnet=10.1.0.0/16
right=%any4
conn loopback6
leftsourceip=%config6
leftsubnet=2604:bbc0:0:100::/56
rightsubnet=2604:bbc0:0:100::/56
right=%any6