Update documentation:

* Add firewall section * Update Policy Routing * Update Internet-Exit
freifunk-mwu · May 20, 2016 · f4ce616 · f4ce616
1 parent 7586f82
commit f4ce616
Show file tree

Hide file tree

Showing 4 changed files with 112 additions and 41 deletions.
diff --git a/ffmwu_gateway_doku/configuration/firewall.rst b/ffmwu_gateway_doku/configuration/firewall.rst
@@ -0,0 +1,28 @@
+.. _firewall:
+
+Firewall
+========
+
+Die Freifunk Gateways sollen in erster Linie Netzwerkpakete zwischen Freifunk-Netzen routen.
+Deshalb verstehen wir die Gateways primär als Router. Mittels Policy Routing und Blackhole Routes stellen wir sicher,
+dass Netzwerk-Pakete keinen falschen Weg laufen können. Dennoch sind ein paar wenige Firewall-Regeln erforderlich,
+um z.B. invalide Pakete so früh wie möglich zu verwerfen::
+
+    iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
+    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
+    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
+    iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+    iptables-save > /etc/iptables/rules.v4
+
+    ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
+    ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    ip6tables -A FORWARD -m conntrack --ctstate INVALID -j DROP
+    ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
+    ip6tables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+    ip6tables-save > /etc/iptables/rules.v6
+
diff --git a/ffmwu_gateway_doku/configuration/internetexit.rst b/ffmwu_gateway_doku/configuration/internetexit.rst
@@ -652,8 +652,7 @@ iptables
 Für IPv4 natten wir weiterhin und legen dafür die entsprechenden iptables Regeln an::
 
     iptables -t nat -N ffrl-nat
-    iptables -t nat -A ffrl-nat -s 10.37.0.0/16 -o ffrl+ -j SNAT --to-source 185.66.195.36
-    iptables -t nat -A ffrl-nat -s 10.56.0.0/16 -o ffrl+ -j SNAT --to-source 185.66.195.36
+    iptables -t nat -A ffrl-nat -o ffrl+ -j SNAT --to-source 185.66.195.36
     iptables -t nat -A POSTROUTING -s 10.37.0.0/16 -o ffrl+ -j ffrl-nat
     iptables -t nat -A POSTROUTING -s 10.56.0.0/16 -o ffrl+ -j ffrl-nat
 
@@ -676,6 +675,12 @@ Ohne weiteren Eingriff würde das dazu führen, dass viele TCP Verbindungen einf
 
     ip6tables-save > /etc/iptables/rules.v6
 
+Da wir per iptables invalide Pakete verwerfen müssen wir sicherstellen, dass GRE-Pakete vorher erlaubt werden::
+
+    iptables -I INPUT 1 -d 144.76.209.100/32 -p gre -j ACCEPT
+    iptables -I OUTPUT 1 -s 144.76.209.100/32 -p gre -j ACCEPT
+
+    iptables-save > /etc/iptables/rules.v4
 
 Policy Routing
 ~~~~~~~~~~~~~~
@@ -685,27 +690,19 @@ Für das Internet-Routing über Freifunk Rheinland sind noch folgende IP Rules i
 
     # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
     ...
-    ip -4 rule add from all iif ffrl-a-fra3-fra lookup mwu priority 7
-    ip -4 rule add from all iif ffrl-b-fra3-fra lookup mwu priority 7
-    ip -4 rule add from all iif ffrl-a-ak-ber lookup mwu priority 7
-    ip -4 rule add from all iif ffrl-b-ak-ber lookup mwu priority 7
-    ip -4 rule add from all iif ffrl-a-ix-dus lookup mwu priority 7
-    ip -4 rule add from all iif ffrl-b-ix-dus lookup mwu priority 7
-    ...
-    ip -6 rule add from all iif ffrl-a-fra3-fra lookup mwu priority 7
-    ip -6 rule add from all iif ffrl-b-fra3-fra lookup mwu priority 7
-    ip -6 rule add from all iif ffrl-a-ak-ber lookup mwu priority 7
-    ip -6 rule add from all iif ffrl-b-ak-ber lookup mwu priority 7
-    ip -6 rule add from all iif ffrl-a-ix-dus lookup mwu priority 7
-    ip -6 rule add from all iif ffrl-b-ix-dus lookup mwu priority 7
     ip -6 rule add from 2a03:2260:11a::/48 lookup mwu priority 7
+    ip -6 rule add to 2a03:2260:11a::/48 lookup mwu priority 7
     ip -6 rule add from 2a03:2260:11b::/48 lookup mwu priority 7
+    ip -6 rule add to 2a03:2260:11b::/48 lookup mwu priority 7
 
     # Priority 41 - lookup rt_table ffinetexit for all incoming traffic of freifunk bridges
     ...
     ip -4 rule add from 185.66.195.36/32 lookup ffinetexit priority 41
+    ip -4 rule add to 185.66.195.36/32 lookup ffinetexit priority 41
     ip -6 rule add from 2a03:2260:11a::/48 lookup ffinetexit priority 41
+    ip -6 rule add to 2a03:2260:11a::/48 lookup ffinetexit priority 41
     ip -6 rule add from 2a03:2260:11b::/48 lookup ffinetexit priority 41
+    ip -6 rule add to 2a03:2260:11b::/48 lookup ffinetexit priority 41
 
     # Priority 61 - at this point this is the end of policy routing for freifunk related routes
     ...
@@ -717,7 +714,9 @@ Für das Internet-Routing über Freifunk Rheinland sind noch folgende IP Rules i
     ip -4 rule add from all iif ffrl-b-ix-dus type unreachable priority 61
     ...
     ip -6 rule add from 2a03:2260:11a::/48 type unreachable priority 61
+    ip -6 rule add to 2a03:2260:11a::/48 type unreachable priority 61
     ip -6 rule add from 2a03:2260:11b::/48 type unreachable priority 61
+    ip -6 rule add to 2a03:2260:11b::/48 type unreachable priority 61
     ...
     ip -6 rule add from all iif ffrl-a-fra3-fra type unreachable priority 61
     ip -6 rule add from all iif ffrl-b-fra3-fra type unreachable priority 61

diff --git a/ffmwu_gateway_doku/configuration/policyrouting.rst b/ffmwu_gateway_doku/configuration/policyrouting.rst
@@ -18,49 +18,75 @@ Unter Linux konfiguriert man Routing Policies über sogenannte **IP Rules**. Dam
     # IP rules
     #
 
-    # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
-    ip -4 rule add from all iif mzBR lookup mwu priority 7
-    ip -4 rule add from all iif wiBR lookup mwu priority 7
+    # Priority 7 - lookup rt_table mwu for all traffic to and from own freifunk networks
+    ip -4 rule add from 10.37.0.0/16 lookup mwu priority 7
+    ip -4 rule add to 10.37.0.0/16 lookup mwu priority 7
+    ip -4 rule add from 10.56.0.0/16 lookup mwu priority 7
+    ip -4 rule add to 10.56.0.0/16 lookup mwu priority 7
+    ip -4 rule add from all oif mzBR lookup mwu priority 7
+    ip -4 rule add from all oif wiBR lookup mwu priority 7
+    ip -4 rule add from all oif icVPN lookup mwu priority 7
+    ip -6 rule add from fd37:b4dc:4b1e::/48 lookup mwu priority 7
+    ip -6 rule add to fd37:b4dc:4b1e::/48 lookup mwu priority 7
+    ip -6 rule add from fd56:b4dc:4b1e::/48 lookup mwu priority 7
+    ip -6 rule add to fd56:b4dc:4b1e::/48 lookup mwu priority 7
+    ip -6 rule add from all oif mzBR lookup mwu priority 7
+    ip -6 rule add from all oif wiBR lookup mwu priority 7
+    ip -6 rule add from all oif icVPN lookup mwu priority 7
     ...
-    <IPv4 rules für IC-VPN>
-    <IPv4 rules für Internet Exit>
+    <IPv6 rules für öffentliche IPv6-Präfixe / Internet Exit>
     ...
-    ip -6 rule add from all iif mzBR lookup mwu priority 7
-    ip -6 rule add from all iif wiBR lookup mwu priority 7
+
+    # Priortiy 23 - lookup rt_table icvpn for all traffic to and from ICVPN
+    ip -4 rule add from 10.37.0.0/16 lookup icvpn priority 23
+    ip -4 rule add to 10.37.0.0/16 lookup icvpn priority 23
+    ip -4 rule add from 10.56.0.0/16 lookup icvpn priority 23
+    ip -4 rule add to 10.56.0.0/16 lookup icvpn priority 23
+    ip -4 rule add from all oif mzBR lookup icvpn priority 23
+    ip -4 rule add from all oif wiBR lookup icvpn priority 23
+    ip -4 rule add from all oif icVPN lookup icvpn priority 23
+    ip -6 rule add from fd37:b4dc:4b1e::/48 lookup icvpn priority 23
+    ip -6 rule add to fd37:b4dc:4b1e::/48 lookup icvpn priority 23
+    ip -6 rule add from fd56:b4dc:4b1e::/48 lookup icvpn priority 23
+    ip -6 rule add to fd56:b4dc:4b1e::/48 lookup icvpn priority 23
+    ip -6 rule add from all oif mzBR lookup icvpn priority 23
+    ip -6 rule add from all oif wiBR lookup icvpn priority 23
+    ip -6 rule add from all oif icVPN lookup icvpn priority 23
     ...
-    <IPv6 rules für IC-VPN>
-    <IPv6 rules für Internet Exit>
+    <IPv6 rules für öffentliche IPv6-Präfixe / Internet Exit>
     ...
 
-    # Priortiy 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
-    ip -4 rule add from all iif mzBR lookup icvpn priority 23
-    ip -4 rule add from all iif wiBR lookup icvpn priority 23
-    ip -6 rule add from all iif mzBR lookup icvpn priority 23
-    ip -6 rule add from all iif wiBR lookup icvpn priority 23
-
-    # Priority 41 - lookup rt_table ffinetexit for all incoming traffic of freifunk bridges
-    ip -4 rule add from all iif mzBR lookup ffinetexit priority 41
-    ip -4 rule add from all iif wiBR lookup ffinetexit priority 41
+    # Priority 41 - lookup rt_table ffinetexit for all traffic related own freifunk networks to and from public internet
+    ip -4 rule add from 10.37.0.0/16 lookup ffinetexit priority 41
+    ip -4 rule add from 10.56.0.0/16 lookup ffinetexit priority 41
     ...
     <IPv4 rules für Internet Exit>
     <IPv6 rules für Internet Exit>
     ...
 
-    # Priority 61 - at this point this is the end of policy routing for freifunk related routes 
+    # Priority 61 - at this point this is the end of policy routing for freifunk related traffic
+    ip -4 rule add to 10.0.0.0/8 type unreachable priority 61
+    ip -4 rule add from 10.0.0.0/8 type unreachable priority 61
+    ip -4 rule add to 192.168.0.0/16 type unreachable priority 61
+    ip -4 rule add from 192.168.0.0/16 type unreachable priority 61
+    ip -4 rule add to 172.16.0.0/12 type unreachable priority 61
+    ip -4 rule add from 172.16.0.0/12 type unreachable priority 61
     ip -4 rule add from all iif mzBR type unreachable priority 61
     ip -4 rule add from all iif wiBR type unreachable priority 61
+    ip -4 rule add from all iif icVPN type unreachable priority 61
+    ip -4 rule add from all iif eth0 type unreachable priority 61
     ...
     <IPv4 rules für Internet Exit>
     ...
-    ip -4 rule add from all iif icVPN type unreachable priority 61
-    ip -4 rule add from all iif eth0 type unreachable priority 61
+    ip -6 rule add from fc00::/7 type unreachable priority 61
+    ip -6 rule add to fc00::/7 type unreachable priority 61
     ip -6 rule add from all iif mzBR type unreachable priority 61
     ip -6 rule add from all iif wiBR type unreachable priority 61
     ip -6 rule add from all iif icVPN type unreachable priority 61
+    ip -6 rule add from all iif eth0 type unreachable priority 61
     ...
     <IPv6 rules für Internet Exit>
     ...
-    ip -6 rule add from all iif eth0 type unreachable priority 61
 
     # Priority 107 - lookup policies for the gateway host self originating traffic
     ip -4 rule add from all lookup mwu priority 107
@@ -82,10 +108,6 @@ Zusätzlich zu den **IP Rules** befüllen wir über das **rc.local**-Script auch
     # IP routes
     #
 
-    # static route for icvpn transfer-net
-    /sbin/ip -4 route add 10.207.0.0/16 proto static dev icVPN table icvpn
-    /sbin/ip -6 route add fec0::/96 proto static dev icVPN table icvpn
-
     # static mainz routes for rt_table mwu
     /sbin/ip -4 route add 10.37.0.0/18 proto static dev mzBR table mwu
     /sbin/ip -6 route add fd37:b4dc:4b1e::/64 proto static dev mzBR table mwu
@@ -94,6 +116,27 @@ Zusätzlich zu den **IP Rules** befüllen wir über das **rc.local**-Script auch
     /sbin/ip -4 route add 10.56.0.0/18 proto static dev wiBR table mwu
     /sbin/ip -6 route add fd56:b4dc:4b1e::/64 proto static dev wiBR table mwu
 
+    # static blackhole routes for rt_table ffinetexit
+    /sbin/ip -4 route add blackhole 0.0.0.0/8 table ffinetexit
+    /sbin/ip -4 route add blackhole 10.0.0.0/8 table ffinetexit
+    /sbin/ip -4 route add blackhole 100.64.0.0/10 table ffinetexit
+    /sbin/ip -4 route add blackhole 127.0.0.0/8 table ffinetexit
+    /sbin/ip -4 route add blackhole 169.254.0.0/16 table ffinetexit
+    /sbin/ip -4 route add blackhole 172.16.0.0/12 table ffinetexit
+    /sbin/ip -4 route add blackhole 192.0.0.0/24 table ffinetexit
+    /sbin/ip -4 route add blackhole 192.0.2.0/24 table ffinetexit
+    /sbin/ip -4 route add blackhole 192.88.99.0/24 table ffinetexit
+    /sbin/ip -4 route add blackhole 192.168.0.0/16 table ffinetexit
+    /sbin/ip -4 route add blackhole 198.18.0.0/15 table ffinetexit
+    /sbin/ip -4 route add blackhole 198.51.100.0/24 table ffinetexit
+    /sbin/ip -4 route add blackhole 203.0.113.0/24 table ffinetexit
+    /sbin/ip -4 route add blackhole 224.0.0.0/4 table ffinetexit
+    /sbin/ip -4 route add blackhole 240.0.0.0/4 table ffinetexit
+    /sbin/ip -4 route add blackhole 255.255.255.255/32 table ffinetexit
+
+    # static route for icvpn transfer-net
+    /sbin/ip -4 route add 10.207.0.0/16 proto static dev icVPN table icvpn
+    /sbin/ip -6 route add fec0::/96 proto static dev icVPN table icvpn
 
 .. _LARTC: http://lartc.org/howto/
 .. _Policy-Routing: http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html
diff --git a/ffmwu_gateway_doku/index.rst b/ffmwu_gateway_doku/index.rst
@@ -21,6 +21,7 @@ Konfiguration
 
    configuration/basics
    configuration/interfaces
+   configuration/firewall
    configuration/policyrouting
    configuration/daemons/ddi
    configuration/daemons/fastd