{"id":75,"date":"2019-05-30T09:28:15","date_gmt":"2019-05-30T08:28:15","guid":{"rendered":"https:\/\/www.gary.bilkus.com\/wordpress\/?p=75"},"modified":"2019-05-30T09:28:15","modified_gmt":"2019-05-30T08:28:15","slug":"networking-cheats","status":"publish","type":"post","link":"https:\/\/www.gary.bilkus.com\/wordpress\/networking-cheats\/","title":{"rendered":"Networking Cheats"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Netplan example bridging and static ip<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>network:\n  version: 2\n  renderer: NetworkManager\n  ethernets:\n    eth0:\n      dhcp4: no\n      dhcp6: no\n  bridges:\n    br0:\n      interfaces: [eth0]\n      addresses: [10.29.5.29\/24,192.168.5.29\/24]\n      gateway4: 10.29.5.1\n      nameservers:\n        addresses:\n          - 10.29.5.1\n      parameters:\n        stp: false\n        forward-delay: 0<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Iptables<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code># How to get the current ip address of systems we care about\npar1=$(dig +short @8.8.8.8 par1.greenwheel.com)\nlon1=$(dig +short @8.8.8.8 lon1.greenwheel.com)\n# set up some interface aliases\nbridge=br0\nwanif=eth0\nlanif=eth0\n\n# initialise iptables\niptables -F\niptables -t nat -F\niptables -t mangle -F\n\n# Now we create our own chains\niptables -N UNRESTRICTED\niptables -N LOGOK\niptables -N WANINPUT\niptables -N LANINPUT\n\n# chains for logging\niptables -N LOGREJECT\niptables -N LOGREJECTF\niptables -A LOGOK -j LOG --log-prefix \"IPTABLES OK \" --log-level 4\niptables -A LOGOK -j ACCEPT\niptables -A LOGREJECT -j LOG --log-prefix \"IPTABLES BANNED \" --log-level 4\niptables -A LOGREJECT -j REJECT --reject-with icmp-port-unreachable\niptables -A LOGREJECTF -j LOG --log-prefix \"IPTABLES FORWARD REJECT \" --log-level 4\niptables -A LOGREJECTF -j REJECT --reject-with icmp-port-unreachable\n\n# We allow most things in apart from port 5000 which is our boiler service\n# which is only allowed if we are coming from our own dedicated server\niptables -A INPUT -s $par1 -j ACCEPT\niptables -A INPUT -s $lon1 -j ACCEPT\nif [ \"$wanif\" == \"$lanif\" ]\nthen\niptables -A INPUT -s 10.29.0.0\/16 -j LANINPUT\niptables -A INPUT -s 192.168.0.0\/16 -j LANINPUT\niptables -A INPUT -s 127.0.0.0\/8 -j LANINPUT\niptables -A INPUT -j WANINPUT\nelse\niptables -A INPUT -i $wanif -j WANINPUT\niptables -A INPUT -j LANINPUT\nfi\niptables -A LANINPUT -j ACCEPT\niptables -A WANINPUT  -p udp -m udp --dport 389 -j DROP # don't allow ldap queries from outside the lan\niptables -A WANINPUT  -p tcp -m tcp --dport 5000 -j REJECT --reject-with icmp-port-unreachable\n\n# Allow anything from our london and paris servers\niptables -A FORWARD -s $par1 -j ACCEPT\niptables -A FORWARD -s $lon1 -j ACCEPT\n# Allow all local\/vpn traffic within our subnet\niptables -A FORWARD -d 10.0.0.0\/8 -j ACCEPT\n# Allow ping etc\niptables -A FORWARD -p icmp -j ACCEPT\niptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT\n\n# the unrestricted chain is maintained by allow and deny scripts\niptables -A FORWARD -j UNRESTRICTED\niptables -A FORWARD -s 192.168.5.29 -j ACCEPT\niptables -A FORWARD -s 10.29.201.0\/24 -j ACCEPT # allow anything we are routing from France\n# Anothing not identified as unrestricted is subject to the following....\niptables -A FORWARD -p tcp -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable\niptables -A FORWARD -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable\niptables -A FORWARD -p tcp -m tcp --dport 5000 -j REJECT --reject-with icmp-port-unreachable\n\n#iptables -A FORWARD -j LOGREJECTF\n\n# And now our natting rules\n# If we are on the 10 subnet and going elsewhere, nat us so replies come back\niptables -t nat -A POSTROUTING -s 10.0.0.0\/8 ! -d 10.0.0.0\/8 -j MASQUERADE\n\n# This is for syncthing, but is an example of bidirectional port forwarding. We need both lines!\niptables -t nat -A PREROUTING -p tcp --dport 62442 -j DNAT --to-destination 10.29.5.207\niptables -t nat -A POSTROUTING -p tcp --dport 62442 -d 10.29.5.207 -j SNAT --to-source 10.29.5.19\n\n# these two lines show how to make port 53 really go to port 5353 in udp\n#iptables -t nat -A OUTPUT -d 10.29.11.16 -p udp -m udp --dport 53 -j REDIRECT --to-port 5353\n<\/code><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Netplan example bridging and static ip Iptables<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gary.bilkus.com\/wordpress\/wp-json\/wp\/v2\/posts\/75"}],"collection":[{"href":"https:\/\/www.gary.bilkus.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gary.bilkus.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gary.bilkus.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gary.bilkus.com\/wordpress\/wp-json\/wp\/v2\/comments?post=75"}],"version-history":[{"count":1,"href":"https:\/\/www.gary.bilkus.com\/wordpress\/wp-json\/wp\/v2\/posts\/75\/revisions"}],"predecessor-version":[{"id":76,"href":"https:\/\/www.gary.bilkus.com\/wordpress\/wp-json\/wp\/v2\/posts\/75\/revisions\/76"}],"wp:attachment":[{"href":"https:\/\/www.gary.bilkus.com\/wordpress\/wp-json\/wp\/v2\/media?parent=75"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gary.bilkus.com\/wordpress\/wp-json\/wp\/v2\/categories?post=75"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gary.bilkus.com\/wordpress\/wp-json\/wp\/v2\/tags?post=75"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}