Network

map.svg

Prefix is 192.168.0.

• 1 : gateway (FB)
• 2-63 : DHCP range
• 64 : YPC
• 65-127 : fixed address range for production devices
• 128 : YS
• 129-199 : experimental fixed address range
• 200-254 : home automation devices with fixed addresses

• YS:eth0 : ypn
• YS:eth1 : peggy (cross, ip = 10.0.0.1 static)

CF : gate:/etc/init.d/firewall

# Spoof protection (reverse path filter)
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
 
# Log malformed IP addresses
net.ipv4.conf.all.log_martians = 1
 
# Do not disable ICMP redirects ! (Peggy router)
#net.ipv4.conf.all.send_redirects = 0
 
# Do not disable source routed packets (Peggy router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
 
# Disable acceptance of ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
 
# Turn on protection from Denial of Service (DOS) attacks
net.ipv4.tcp_syncookies = 1
 
# Do not disable responding to ping broadcasts
#net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Enable IP routing. Required if your firewall is protecting a
# network, NAT included
net.ipv4.ip_forward = 1

# Don't forward queries for names, only for full domains
domain-needed
 
# Eth interface
interface=eth1
 
# Local domain
domain=peggy.private.network
 
# DNS cache size
cache-size=256
 
# DHCP range
dhcp-range=10.0.0.2,10.0.0.31,24h
 
# NetMask
dhcp-option=1,255.255.255.0
 
# Local domain
dhcp-option=40,peggy.private.network
 
# Release on shutdown for M$ clients
dhcp-option=vendor:MSFT,2,li
 
# We are the only DHCP on this network
dhcp-authoritative

#!/bin/bash
 
## Reset
iptables -F
iptables -X
 
## User chains
iptables -N valid-src
iptables -N valid-dst
 
## Allow open connection to receive RX data
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
## Allow open connection to receive TX data
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT
 
## Loopback
iptables -I INPUT -i lo -j ACCEPT
 
## Verify src/dest
iptables -A INPUT   -i eth1 -j valid-src
iptables -A FORWARD -i eth1 -j valid-src
iptables -A OUTPUT  -o eth1 -j valid-dst
iptables -A FORWARD -o eth1 -j valid-dst
 
## Drops
 
# Broadcast (RFC 1700) "this" network
iptables -A valid-src -d 0.0.0.0/8 -j DROP
 
# Local network gateway
iptables -A valid-src -d 10.0.0.1 --dport 23 -j DROP
iptables -A valid-src -d 10.0.0.1 --dport 25 -j DROP
iptables -A valid-src -d 10.0.0.1 --dport 26912 -j DROP
 
# Local network (RFC 1918)
iptables -A valid-src -d 10.0.0.0/8 -j DROP
 
# Loopback
iptables -A valid-src -d 127.0.0.0/8 -j DROP
 
# Autoconfig
iptables -A valid-src -d 169.254.0.0/16 -j DROP
 
# Local network (RFC 1918)
iptables -A valid-src -d 172.16.0.0/12 -j DROP
 
# Local network (RFC 1918)
iptables -A valid-src -d 192.168.0.0/16 -j DROP
 
# Multicast (RFC 5771)
iptables -A valid-src -d 224.0.0.0/4 -j DROP
 
# Local network (RFC 1918)
iptables -A valid-src -d 240.0.0.0/5 -j DROP
 
# Local network (RFC 1918)
iptables -A valid-src -s 255.255.255.255 -j DROP
 
iptables -A valid-dst -s 224.0.0.0/4 -j DROP