From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 110BC21F14E for ; Wed, 15 Jan 2014 21:37:30 -0800 (PST) Received: by mail-wg0-f51.google.com with SMTP id z12so2715506wgg.30 for ; Wed, 15 Jan 2014 21:37:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=MihQjiiLGahQnCga4vc2q5RpoPbpddb8Q5T/vqlFgGw=; b=0pEG+oaSImLQHuxLYDn0qA/SEjtDSMroYZbtLj41KNbZAhBg9pz40KZP8EZDimTO9w P20UNQjWdSVvj3j2o8S4q0/wZQQCnzAqCP0Riu+ClODOxJXgknnu158Ki2Tzd3g58aSr zZoP5drfuhABlismJiTYtn1ORuQk0KNno7QMq9Z/VJ81ySEB9/v/fFTQ4Z4gqNO3SYBz +u11oZXtv/PkoPhjBkEqWsge24CgQ0uDO/M2FsdeyTLnOPTKwg+R6Dd63gnA93vejSQL lOfEEp+q9lg6scLoTdbJbC1ikPl8+bznTZcGlkTzFa+VBmhMfEqqR3LSytY3VtHPkTh7 Wnsw== MIME-Version: 1.0 X-Received: by 10.194.178.135 with SMTP id cy7mr6372259wjc.21.1389850648676; Wed, 15 Jan 2014 21:37:28 -0800 (PST) Received: by 10.217.123.69 with HTTP; Wed, 15 Jan 2014 21:37:28 -0800 (PST) Date: Thu, 16 Jan 2014 00:37:28 -0500 Message-ID: From: Dave Taht To: "cerowrt-devel@lists.bufferbloat.net" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: [Cerowrt-devel] bcp38 via ipset X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 05:37:32 -0000 #!/bin/sh # I am allergic to writing tons and tons of iptables rules. Perhaps # using ipsets instead would be more efficient? # a (borken) start at trying it below: ipset destroy egress-ipv4 ipset destroy egress-ipv6 ipset create bcp38-ipv4 hash:net family inet timeout 0 hashsize 32 ipset add bcp38-ipv4 127.0.0.0/8 ipset add bcp38-ipv4 192.168.0.0/16 ipset add bcp38-ipv4 10.0.0.0/8 ipset add bcp38-ipv4 172.16.0.0/12 ipset add bcp38-ipv4 169.254.0.0/16 # But what should bcp38 look like for ipv6? ipset create bcp38-ipv6 hash:net family inet6 timeout 0 hashsize 32 ipset add bcp38-ipv6 2001:DB8::/32 # example ipv6 addr kill ipset add bcp38-ipv6 fc00::/7 # reject ula ipset add bcp38-ipv6 ff00::/8 # reject multicast ipset add bcp38-ipv6 fec0::/10 # reject site-local ipset add bcp38-ipv6 ::ffff/96 # reject v6mapped ipset create egress-ipv4 hash:net family inet timeout 0 hashsize 32 ipset add egress-ipv4 127.0.0.0/8 ipset add egress-ipv4 192.168.0.0/16 ipset add egress-ipv4 10.0.0.0/8 ipset add egress-ipv4 172.16.0.0/12 ipset add egress-ipv4 169.254.0.0/16 # you could then dynamically add your external ip even # in a double nat situation in a dhcpd callback # Prohibit multicast except for a few well known services? ipset create egress-ipv6 hash:net family inet6 timeout 0 hashsize 32 ipset add egress-ipv6 fc00::/7 ipset add egress-ipv6 ff00::/8 ipset add egress-ipv6 2001:DB8::/32 # Block IPv6 example address ipset add egress-ipv6 fec0::/10 # reject site-local ipset add egress-ipv6 ::ffff/96 # reject v6mapped # FIXME punch hole for network discovery? # FIXME punch a hole for dhcpv6 # punch a hole for babel # And for all that above this attempt at rules don't work # output? some other chain? iptables -A forwarding_wan_rule -m set --match-set egress-ipv4 dst -j REJECT --reject-with icmp-host-unreachable ip6tables -A forwarding_wan_rule -m set --match-set egress-ipv6 dst -j REJECT --reject-with addr-unreach --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html