diff options
| -rw-r--r-- | documentation/addressplan.txt | 5 | ||||
| -rw-r--r-- | roles/space_server/files/networkd/10-lan.network | 1 | ||||
| -rw-r--r-- | roles/space_server/files/networkd/10-lan21.netdev | 6 | ||||
| -rw-r--r-- | roles/space_server/files/networkd/10-lan21.network | 18 | ||||
| -rw-r--r-- | roles/space_server/files/nftables.conf | 49 | ||||
| -rw-r--r-- | roles/space_server/files/nftables.service | 2 |
6 files changed, 80 insertions, 1 deletions
diff --git a/documentation/addressplan.txt b/documentation/addressplan.txt index ade8805..b5e8f94 100644 --- a/documentation/addressplan.txt +++ b/documentation/addressplan.txt @@ -6,11 +6,12 @@ * 185.38.175.065 - space.labitat.dk, labicolo gateway * 185.38.175.069 - spacebrain.labitat.dk * 185.38.175.070 - spacewand.labitat.dk - * 185.38.175.071 - reserved for tor exit node * 185.38.175.075 - Asbjorn * 185.38.175.076 - Deni * 185.38.175.077 - KTJ * 185.38.175.078 - Graffen + ***** 185.38.175.128/28 - Tor exit nodes + * 185.38.175.129 - space.labitat.dk - gateway ********************* 2a01:4262:1ab:0000::/48 - allocated and announced ******************** 2a01:4262:1ab:0xxx::/52 - labitat internal use @@ -38,6 +39,8 @@ ******************* 2a01:4262:1ab:11xx::/56 - 16x /60 delegations ****************** 2a01:4262:1ab:110x::/60 - Asbjorn ****************** 2a01:4262:1ab:111x::/60 - Esmil + ******************** 2a01:4262:1ab:fxxx::/52 - untrusted address space + ***************** 2a01:4262:1ab:ffff::/64 - Tor exit nodes Linknets: diff --git a/roles/space_server/files/networkd/10-lan.network b/roles/space_server/files/networkd/10-lan.network index 1a9f004..1221be8 100644 --- a/roles/space_server/files/networkd/10-lan.network +++ b/roles/space_server/files/networkd/10-lan.network @@ -18,3 +18,4 @@ VLAN=lan13 VLAN=lan14 VLAN=lan15 VLAN=lan20 +VLAN=lan21 diff --git a/roles/space_server/files/networkd/10-lan21.netdev b/roles/space_server/files/networkd/10-lan21.netdev new file mode 100644 index 0000000..85a79c2 --- /dev/null +++ b/roles/space_server/files/networkd/10-lan21.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan21 +Kind=vlan + +[VLAN] +Id=21 diff --git a/roles/space_server/files/networkd/10-lan21.network b/roles/space_server/files/networkd/10-lan21.network new file mode 100644 index 0000000..7ac5b75 --- /dev/null +++ b/roles/space_server/files/networkd/10-lan21.network @@ -0,0 +1,18 @@ +[Match] +Name=lan21 + +[Link] +ARP=yes + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=185.38.175.129/28 +Address=2a01:4262:1ab:ffff::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=no +MulticastDNS=no +LLDP=yes +EmitLLDP=no diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf index 3502959..93ecc25 100644 --- a/roles/space_server/files/nftables.conf +++ b/roles/space_server/files/nftables.conf @@ -48,6 +48,15 @@ define nat64_net4 = 10.42.128.0/17 define colo_if = lan20 +define tor_if = lan21 +define tor_net4 = 185.38.175.128/28 +define tor_net6 = 2a01:4262:1ab:ffff::/64 + +define local_ip4 = { $ext_ip4, $adm_ip4, $wire_ip4, $priv_ip4, $free_ip4, $pass_ip4 } +define local_ip6 = { $ext_ip6 } +define local_net4 = { $ext_ip4, $free_nat, $int_net4 } +define local_net6 = 2a01:4262:1ab::/52 + define avahi_ifs = { $wire_if, $priv_if, $pass_if } table ip filter { @@ -118,6 +127,10 @@ table ip filter { chain forward { type filter hook forward priority 0; + # handle tor traffic - before ct + iif $tor_if ip saddr $tor_net4 ip daddr != $local_net4 accept + oif $tor_if ip daddr $tor_net4 ip saddr != $local_net4 accept + ct state established,related accept ct state invalid drop @@ -207,6 +220,10 @@ table ip6 filter { chain forward { type filter hook forward priority 0; + # handle tor traffic - before ct + iif $tor_if ip6 saddr $tor_net6 ip6 daddr != $local_net6 accept + oif $tor_if ip6 daddr $tor_net6 ip6 saddr != $local_net6 accept + ct state established,related accept ct state invalid drop @@ -281,3 +298,35 @@ table ip6 nat { # type nat hook postrouting priority -150; #} } + +table ip raw { + chain prerouting { + type filter hook prerouting priority -300; policy accept + + iif lo accept + + # always do connection tracking for local IP's + ip saddr $local_ip4 accept + ip daddr $local_ip4 accept + + # avoid connection tracking for most Tor traffic + ip saddr $tor_net4 ip daddr != $local_net4 notrack + ip daddr $tor_net4 ip saddr != $local_net4 notrack + } +} + +table ip6 raw { + chain prerouting { + type filter hook prerouting priority -300; policy accept + + iif lo accept + + # always do connection tracking for local IP's + ip6 saddr $local_ip6 accept + ip6 daddr $local_ip6 accept + + # avoid connection tracking for most Tor traffic + ip6 saddr $tor_net6 ip6 daddr != $local_net6 notrack + ip6 daddr $tor_net6 ip6 saddr != $local_net6 notrack + } +} diff --git a/roles/space_server/files/nftables.service b/roles/space_server/files/nftables.service index 89e9cfe..54efd9c 100644 --- a/roles/space_server/files/nftables.service +++ b/roles/space_server/files/nftables.service @@ -8,6 +8,7 @@ Requires=sys-devices-virtual-net-lan13.device Requires=sys-devices-virtual-net-lan14.device Requires=sys-devices-virtual-net-lan15.device Requires=sys-devices-virtual-net-lan20.device +Requires=sys-devices-virtual-net-lan21.device Requires=sys-devices-virtual-net-nat64.device After=sys-devices-virtual-net-lan10.device After=sys-devices-virtual-net-lan11.device @@ -16,6 +17,7 @@ After=sys-devices-virtual-net-lan13.device After=sys-devices-virtual-net-lan14.device After=sys-devices-virtual-net-lan15.device After=sys-devices-virtual-net-lan20.device +After=sys-devices-virtual-net-lan21.device After=sys-devices-virtual-net-nat64.device Before=network-online.target |