From e88b13e51defcacec2018aa7288ff3cc1bdfd62d Mon Sep 17 00:00:00 2001 From: toby Date: Wed, 2 Jan 2019 22:29:23 +0100 Subject: [PATCH] adding customer interface bgp firewall fules --- files/firewall | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/files/firewall b/files/firewall index 82240bf..189909a 100755 --- a/files/firewall +++ b/files/firewall @@ -46,6 +46,8 @@ case $1 in iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp iptables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # upstream from public bgp + iptables -A INPUT -i customer+ -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer + iptables -A INPUT -i customer+ -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers ### mgmt iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT @@ -111,6 +113,8 @@ case $1 in ip6tables -A INPUT -s fe80::/10 -i ibgp+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer + ip6tables -A INPUT -i customer+ -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer + ip6tables -A INPUT -i customer+ -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers ### mgmt ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why but needs the physical interface not vrf