firewall: adding TTL hop-check on the BGP firewall rules. this makes it a bit more secure on fairly wide open BGP rules
This commit is contained in:
toby
parent
b9d53909b8
commit
90e3484f5c
|
|
@ -44,10 +44,10 @@ case $1 in
|
|||
|
||||
## rules for edge nodes, these should be more specific but for now, it'll do
|
||||
iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites
|
||||
iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp
|
||||
iptables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # upstream from public bgp
|
||||
iptables -A INPUT -i customer+ -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer
|
||||
iptables -A INPUT -i customer+ -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers
|
||||
iptables -A INPUT -i up+ -m ttl --ttl-eq 1 -p tcp --dport 179 -j ACCEPT # upstream to public bgp
|
||||
iptables -A INPUT -i up+ -m ttl --ttl-eq 1 -p tcp --sport 179 -j ACCEPT # upstream from public bgp
|
||||
iptables -A INPUT -i customer+ -m ttl --ttl-eq 1 -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer
|
||||
iptables -A INPUT -i customer+ -m ttl --ttl-eq 1 -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers
|
||||
|
||||
### mgmt
|
||||
iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT
|
||||
|
|
@ -96,8 +96,8 @@ case $1 in
|
|||
ip6tables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec
|
||||
ip6tables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec
|
||||
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT # icmp
|
||||
ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
ip6tables -A INPUT -s fe80::/10 -i feth+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
ip6tables -A INPUT -s fe80::/10 -i feth+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
|
||||
## external services we depend upon
|
||||
ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9091 -j ACCEPT # prometheus pushgateway
|
||||
|
|
@ -121,14 +121,14 @@ case $1 in
|
|||
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 49152:49215 -j ACCEPT # libvirt live migration
|
||||
|
||||
## rules for edge nodes, these should be more specific but for now, it'll do
|
||||
ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
ip6tables -A INPUT -s fe80::/10 -i ibgp+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
ip6tables -A INPUT -s fe80::/10 -i ibgp+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer
|
||||
ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer
|
||||
ip6tables -A INPUT -i customer+ -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer
|
||||
ip6tables -A INPUT -i customer+ -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers
|
||||
ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
ip6tables -A INPUT -i up+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp to public peer
|
||||
ip6tables -A INPUT -i up+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp from public peer
|
||||
ip6tables -A INPUT -i customer+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer
|
||||
ip6tables -A INPUT -i customer+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers
|
||||
|
||||
### mgmt
|
||||
ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why but needs the physical interface not vrf
|
||||
|
|
|
|||
Loading…
Reference in New Issue