jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

adding customer interface bgp firewall fules

This commit is contained in:
toby 2019-01-02 22:29:23 +01:00
parent 7468e4fddf
commit e88b13e51d
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
files/firewall
View File

@ -46,6 +46,8 @@ case $1 in
iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites
iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp
iptables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # upstream from public bgp
iptables -A INPUT -i customer+ -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer
iptables -A INPUT -i customer+ -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers
### mgmt
iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT
@ -111,6 +113,8 @@ case $1 in
ip6tables -A INPUT -s fe80::/10 -i ibgp+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer
ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer
ip6tables -A INPUT -i customer+ -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer
ip6tables -A INPUT -i customer+ -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers
### mgmt
ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why but needs the physical interface not vrf