diff --git a/debian/control b/debian/control index 489a9ca..0ab8c11 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: https://git.wit.com/netops/wit-network-config Package: wit-network-config Architecture: all -Depends: systemd, sed, tcpdump, mtr-tiny, iproute2, ifupdown, ipmitool, iptables, lldpd, strongswan, telnet, netcat, fping, curl, wget, ifstat, rsyslog, ncurses-term, net-tools, bridge-utils, vlan, gnupg, sudo, isc-dhcp-client, bind9-host, dnsutils, frr (>= 5.0.1-wit), frr (<< 5.0.2-wit) +Depends: systemd, sed, tcpdump, mtr-tiny, iproute2, ifupdown, ipmitool, iptables, lldpd, strongswan, telnet, netcat, fping, curl, wget, ifstat, rsyslog, ncurses-term, net-tools, bridge-utils, vlan, gnupg, sudo, isc-dhcp-client, bind9-host, dnsutils, libstrongswan-extra-plugins, frr (>= 5.0.1-wit), frr (<< 5.0.2-wit) Provides: ${diverted-files} Conflicts: ${diverted-files}, dhcpcd5 Description: configure network for a standard wit compute and/or data node diff --git a/files/firewall b/files/firewall index a199257..169100f 100755 --- a/files/firewall +++ b/files/firewall @@ -47,16 +47,20 @@ case $1 in #### IPv6 ip6tables -P INPUT ACCEPT ip6tables -F INPUT - ip6tables -A INPUT -p ipv6-icmp -j ACCEPT # ping - ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p udp --sport 53 -j ACCEPT # dns - ip6tables -A INPUT -s 2001:67c:1560:8003::c7 -p udp --sport 123 -j ACCEPT # ntp - ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp - ip6tables -A INPUT -s fe80::/10 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -s fe80::/10 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) + #unencrypted traffic + ip6tables -A INPUT -p esp -j ACCEPT # ipsec + ip6tables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec + ip6tables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec + ip6tables -A INPUT -p ipv6-icmp -j ACCEPT # ping + ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p udp --sport 53 -j ACCEPT # dns + ip6tables -A INPUT -s 2001:67c:1560:8003::c7 -p udp --sport 123 -j ACCEPT # ntp + ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp + ip6tables -A INPUT -s fe80::/10 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -s fe80::/10 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) ### mgmt - ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why this needs the physical interface instead of the vrf - ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT # allow ssh from mgmt - ip6tables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT # allow stateful connections over mgmt + ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why this needs the physical interface instead of the vrf + ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT # allow ssh from mgmt + ip6tables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT # allow stateful connections over mgmt ### DROP the rest ip6tables -P INPUT DROP diff --git a/files/ipsec.conf.wit b/files/ipsec.conf.wit index 46ee260..fbfdf0c 100644 --- a/files/ipsec.conf.wit +++ b/files/ipsec.conf.wit @@ -19,14 +19,22 @@ conn %default keyexchange=ikev1 ike=aes128-sha1-modp2048! esp=aes128-sha1-modp2048! - - -conn loopbacks - auto=route - leftsubnet=10.1.0.0/16 - rightsubnet=10.1.0.0/16 - right=%any leftcert=FQHOSTNAME.crt leftid="C=US, O=Wit, CN=FQHOSTNAME" rightid="C=US, O=Wit, CN=*" + auto=route + + +conn loopback4 + leftsourceip=%config4 + leftsubnet=10.1.0.0/16 + rightsubnet=10.1.0.0/16 + right=%any4 + + +conn loopback6 + leftsourceip=%config6 + leftsubnet=2604:bbc0:0:100::/56 + rightsubnet=2604:bbc0:0:100::/56 + right=%any6