From 90e3484f5cc8e3e9d410f18743963baeb04cade6 Mon Sep 17 00:00:00 2001 From: toby Date: Tue, 5 Feb 2019 20:42:36 -0800 Subject: [PATCH] firewall: adding TTL hop-check on the BGP firewall rules. this makes it a bit more secure on fairly wide open BGP rules --- files/firewall | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/files/firewall b/files/firewall index 0fcb936..88f3a17 100755 --- a/files/firewall +++ b/files/firewall @@ -44,10 +44,10 @@ case $1 in ## rules for edge nodes, these should be more specific but for now, it'll do iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites - iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp - iptables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # upstream from public bgp - iptables -A INPUT -i customer+ -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer - iptables -A INPUT -i customer+ -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers + iptables -A INPUT -i up+ -m ttl --ttl-eq 1 -p tcp --dport 179 -j ACCEPT # upstream to public bgp + iptables -A INPUT -i up+ -m ttl --ttl-eq 1 -p tcp --sport 179 -j ACCEPT # upstream from public bgp + iptables -A INPUT -i customer+ -m ttl --ttl-eq 1 -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer + iptables -A INPUT -i customer+ -m ttl --ttl-eq 1 -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers ### mgmt iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT @@ -96,8 +96,8 @@ case $1 in ip6tables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec ip6tables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec ip6tables -A INPUT -p ipv6-icmp -j ACCEPT # icmp - ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -s fe80::/10 -i feth+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -s fe80::/10 -i feth+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) ## external services we depend upon ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9091 -j ACCEPT # prometheus pushgateway @@ -121,14 +121,14 @@ case $1 in ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 49152:49215 -j ACCEPT # libvirt live migration ## rules for edge nodes, these should be more specific but for now, it'll do - ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -s fe80::/10 -i ibgp+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -s fe80::/10 -i ibgp+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer - ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer - ip6tables -A INPUT -i customer+ -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer - ip6tables -A INPUT -i customer+ -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers + ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -i up+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp to public peer + ip6tables -A INPUT -i up+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp from public peer + ip6tables -A INPUT -i customer+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer + ip6tables -A INPUT -i customer+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers ### mgmt ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why but needs the physical interface not vrf