diff options
author | Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> | 2021-09-06 18:13:20 +0000 |
---|---|---|
committer | Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> | 2021-09-06 19:06:02 +0000 |
commit | 6856b82bdcd61ea25cac8bc64a9114d908e6ea9e (patch) | |
tree | 76f20db1cae32f1fcb86cd6603b398d441c45e9d /roles/space_server/files | |
parent | b1904dcc2937c93408234311793302aedca859c4 (diff) | |
download | labitat-ansible-new-tor-exit-range.tar.gz labitat-ansible-new-tor-exit-range.tar.xz labitat-ansible-new-tor-exit-range.zip |
space_server: add dedicated VLAN for Tor exit nodesnew-tor-exit-range
Move the Tor exit nodes to their own VLAN, and
their own address space.
Background for move
-------------------
For the first Tor exit node, we where able to
create inet6num object 2a01:4262:1ab:20::71/128.
So we could assign a specific Tor abuse contact.
When we added the second node it was no longer
possible to create /128 inet6num objects, but
only up to /64. We therefore need to move our
Tor exit nodes to a dedicated address space.
Connection tracking
-------------------
Connection tracking is quite expensive, so
it's better to only do it for Tor traffic,
when we actually need it, which is only when
internal clients need to access the servers.
In the future conntrack could also be disabled
for labicolo in general.
Current stats
~~~~~~~~~~~~~
[root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack |
grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l
4071
[root@space ~]# wc -l /proc/net/nf_conntrack
39138 /proc/net/nf_conntrack
Currently 4071 out of 39138 connections are not Tor related.
Also reading /proc/net/nf_conntrack is quite slow atm.:
[root@space ~]# time cat /proc/net/nf_conntrack > /dev/null
real 0m35.097s
user 0m0.010s
sys 0m28.114s
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
Diffstat (limited to 'roles/space_server/files')
-rw-r--r-- | roles/space_server/files/networkd/10-lan.network | 1 | ||||
-rw-r--r-- | roles/space_server/files/networkd/10-lan21.netdev | 6 | ||||
-rw-r--r-- | roles/space_server/files/networkd/10-lan21.network | 18 | ||||
-rw-r--r-- | roles/space_server/files/nftables.conf | 49 | ||||
-rw-r--r-- | roles/space_server/files/nftables.service | 2 |
5 files changed, 76 insertions, 0 deletions
diff --git a/roles/space_server/files/networkd/10-lan.network b/roles/space_server/files/networkd/10-lan.network index 1a9f004..1221be8 100644 --- a/roles/space_server/files/networkd/10-lan.network +++ b/roles/space_server/files/networkd/10-lan.network @@ -18,3 +18,4 @@ VLAN=lan13 VLAN=lan14 VLAN=lan15 VLAN=lan20 +VLAN=lan21 diff --git a/roles/space_server/files/networkd/10-lan21.netdev b/roles/space_server/files/networkd/10-lan21.netdev new file mode 100644 index 0000000..85a79c2 --- /dev/null +++ b/roles/space_server/files/networkd/10-lan21.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan21 +Kind=vlan + +[VLAN] +Id=21 diff --git a/roles/space_server/files/networkd/10-lan21.network b/roles/space_server/files/networkd/10-lan21.network new file mode 100644 index 0000000..7ac5b75 --- /dev/null +++ b/roles/space_server/files/networkd/10-lan21.network @@ -0,0 +1,18 @@ +[Match] +Name=lan21 + +[Link] +ARP=yes + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=185.38.175.129/28 +Address=2a01:4262:1ab:ffff::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=no +MulticastDNS=no +LLDP=yes +EmitLLDP=no diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf index 3502959..93ecc25 100644 --- a/roles/space_server/files/nftables.conf +++ b/roles/space_server/files/nftables.conf @@ -48,6 +48,15 @@ define nat64_net4 = 10.42.128.0/17 define colo_if = lan20 +define tor_if = lan21 +define tor_net4 = 185.38.175.128/28 +define tor_net6 = 2a01:4262:1ab:ffff::/64 + +define local_ip4 = { $ext_ip4, $adm_ip4, $wire_ip4, $priv_ip4, $free_ip4, $pass_ip4 } +define local_ip6 = { $ext_ip6 } +define local_net4 = { $ext_ip4, $free_nat, $int_net4 } +define local_net6 = 2a01:4262:1ab::/52 + define avahi_ifs = { $wire_if, $priv_if, $pass_if } table ip filter { @@ -118,6 +127,10 @@ table ip filter { chain forward { type filter hook forward priority 0; + # handle tor traffic - before ct + iif $tor_if ip saddr $tor_net4 ip daddr != $local_net4 accept + oif $tor_if ip daddr $tor_net4 ip saddr != $local_net4 accept + ct state established,related accept ct state invalid drop @@ -207,6 +220,10 @@ table ip6 filter { chain forward { type filter hook forward priority 0; + # handle tor traffic - before ct + iif $tor_if ip6 saddr $tor_net6 ip6 daddr != $local_net6 accept + oif $tor_if ip6 daddr $tor_net6 ip6 saddr != $local_net6 accept + ct state established,related accept ct state invalid drop @@ -281,3 +298,35 @@ table ip6 nat { # type nat hook postrouting priority -150; #} } + +table ip raw { + chain prerouting { + type filter hook prerouting priority -300; policy accept + + iif lo accept + + # always do connection tracking for local IP's + ip saddr $local_ip4 accept + ip daddr $local_ip4 accept + + # avoid connection tracking for most Tor traffic + ip saddr $tor_net4 ip daddr != $local_net4 notrack + ip daddr $tor_net4 ip saddr != $local_net4 notrack + } +} + +table ip6 raw { + chain prerouting { + type filter hook prerouting priority -300; policy accept + + iif lo accept + + # always do connection tracking for local IP's + ip6 saddr $local_ip6 accept + ip6 daddr $local_ip6 accept + + # avoid connection tracking for most Tor traffic + ip6 saddr $tor_net6 ip6 daddr != $local_net6 notrack + ip6 daddr $tor_net6 ip6 saddr != $local_net6 notrack + } +} diff --git a/roles/space_server/files/nftables.service b/roles/space_server/files/nftables.service index 89e9cfe..54efd9c 100644 --- a/roles/space_server/files/nftables.service +++ b/roles/space_server/files/nftables.service @@ -8,6 +8,7 @@ Requires=sys-devices-virtual-net-lan13.device Requires=sys-devices-virtual-net-lan14.device Requires=sys-devices-virtual-net-lan15.device Requires=sys-devices-virtual-net-lan20.device +Requires=sys-devices-virtual-net-lan21.device Requires=sys-devices-virtual-net-nat64.device After=sys-devices-virtual-net-lan10.device After=sys-devices-virtual-net-lan11.device @@ -16,6 +17,7 @@ After=sys-devices-virtual-net-lan13.device After=sys-devices-virtual-net-lan14.device After=sys-devices-virtual-net-lan15.device After=sys-devices-virtual-net-lan20.device +After=sys-devices-virtual-net-lan21.device After=sys-devices-virtual-net-nat64.device Before=network-online.target |