====== Network ======

===== Map =====

{{sketch>map.svg}}

===== Addresses =====

Prefix is **192.168.0.**

  * **1** : gateway (FB)
  * **2-63** : DHCP range
  * **64** : YPC
  * **65-127** : fixed address range for production devices
  * **128** : YS
  * **129-199** : experimental fixed address range
  * **200-254** : home automation devices with fixed addresses

===== Peggy private network =====

  * YS:eth0 : ypn
  * YS:eth1 : peggy (cross, ip = 10.0.0.1 static)

  CF : gate:/etc/init.d/firewall
==== System security config ====

<file |/etc/sysctl.conf>
# Spoof protection (reverse path filter)
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1

# Log malformed IP addresses
net.ipv4.conf.all.log_martians = 1

# Do not disable ICMP redirects ! (Peggy router)
#net.ipv4.conf.all.send_redirects = 0

# Do not disable source routed packets (Peggy router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0

# Disable acceptance of ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Turn on protection from Denial of Service (DOS) attacks
net.ipv4.tcp_syncookies = 1
 
# Do not disable responding to ping broadcasts
#net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Enable IP routing. Required if your firewall is protecting a
# network, NAT included
net.ipv4.ip_forward = 1
</file>

==== DNSMasq config ====

<file |/etc/dnsmasq.conf>
# Don't forward queries for names, only for full domains
domain-needed

# Eth interface
interface=eth1

# Local domain
domain=peggy.private.network

# DNS cache size
cache-size=256

# DHCP range
dhcp-range=10.0.0.2,10.0.0.31,24h

# NetMask
dhcp-option=1,255.255.255.0

# Local domain
dhcp-option=40,peggy.private.network

# Release on shutdown for M$ clients
dhcp-option=vendor:MSFT,2,li

# We are the only DHCP on this network
dhcp-authoritative
</file>

==== IPTables config script (@startup / eth1 up) ====

<file |iptable-config.sh>
#!/bin/bash

## Reset
iptables -F
iptables -X

## User chains
iptables -N valid-src
iptables -N valid-dst

## Allow open connection to receive RX data
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
## Allow open connection to receive TX data
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT
 
## Loopback
iptables -I INPUT -i lo -j ACCEPT

## Verify src/dest
iptables -A INPUT   -i eth1 -j valid-src
iptables -A FORWARD -i eth1 -j valid-src
iptables -A OUTPUT  -o eth1 -j valid-dst
iptables -A FORWARD -o eth1 -j valid-dst

## Drops

# Broadcast (RFC 1700) "this" network
iptables -A valid-src -d 0.0.0.0/8 -j DROP

# Local network gateway
iptables -A valid-src -d 10.0.0.1 --dport 23 -j DROP
iptables -A valid-src -d 10.0.0.1 --dport 25 -j DROP
iptables -A valid-src -d 10.0.0.1 --dport 26912 -j DROP

# Local network (RFC 1918)
iptables -A valid-src -d 10.0.0.0/8 -j DROP

# Loopback
iptables -A valid-src -d 127.0.0.0/8 -j DROP

# Autoconfig
iptables -A valid-src -d 169.254.0.0/16 -j DROP

# Local network (RFC 1918)
iptables -A valid-src -d 172.16.0.0/12 -j DROP

# Local network (RFC 1918)
iptables -A valid-src -d 192.168.0.0/16 -j DROP

# Multicast (RFC 5771)
iptables -A valid-src -d 224.0.0.0/4 -j DROP

# Local network (RFC 1918)
iptables -A valid-src -d 240.0.0.0/5 -j DROP

# Local network (RFC 1918)
iptables -A valid-src -s 255.255.255.255 -j DROP

iptables -A valid-dst -s 224.0.0.0/4 -j DROP
</file>