[Cerowrt-devel] bcp38 via ipset

Dave Taht dave.taht at gmail.com
Thu Jan 16 00:37:28 EST 2014 

#!/bin/sh


                     # I am allergic to writing tons and tons of
iptables rules. Perhaps
# using ipsets instead would be more efficient?
# a (borken) start at trying it below:

ipset destroy egress-ipv4
                                     ipset destroy egress-ipv6
ipset create bcp38-ipv4 hash:net family inet timeout 0 hashsize 32
ipset add bcp38-ipv4 127.0.0.0/8
ipset add bcp38-ipv4 192.168.0.0/16
                              ipset add bcp38-ipv4 10.0.0.0/8
                                                               ipset
add bcp38-ipv4 172.16.0.0/12
                        ipset add bcp38-ipv4 169.254.0.0/16
                                                       # But what
should bcp38 look like for ipv6?
ipset create bcp38-ipv6 hash:net family inet6 timeout 0 hashsize 32
ipset add bcp38-ipv6 2001:DB8::/32 # example ipv6 addr kill
                   ipset add bcp38-ipv6 fc00::/7  # reject ula
                                                  ipset add bcp38-ipv6
ff00::/8  # reject multicast
        ipset add bcp38-ipv6 fec0::/10 # reject site-local
                                     ipset add bcp38-ipv6 ::ffff/96 #
reject v6mapped

                                             ipset create egress-ipv4
hash:net family inet timeout 0 hashsize 32                      ipset
add egress-ipv4 127.0.0.0/8
                           ipset add egress-ipv4 192.168.0.0/16
                                                          ipset add
egress-ipv4 10.0.0.0/8
                        ipset add egress-ipv4 172.16.0.0/12
                                                       ipset add
egress-ipv4 169.254.0.0/16

# you could then dynamically add your external ip even
# in a double nat situation in a dhcpd callback
# Prohibit multicast except for a few well known services?
ipset create egress-ipv6 hash:net family inet6 timeout 0 hashsize 32
ipset add egress-ipv6 fc00::/7
ipset add egress-ipv6 ff00::/8
ipset add egress-ipv6 2001:DB8::/32 # Block IPv6 example address
ipset add egress-ipv6 fec0::/10 # reject site-local
ipset add egress-ipv6 ::ffff/96 # reject v6mapped

# FIXME punch hole for network discovery?
# FIXME punch a hole for dhcpv6
# punch a hole for babel
# And for all that above this attempt at rules don't work
# output? some other chain?

iptables -A forwarding_wan_rule -m set --match-set egress-ipv4 dst -j
REJECT --reject-with icmp-host-unreachable
ip6tables -A forwarding_wan_rule -m set --match-set egress-ipv6 dst -j
REJECT --reject-with addr-unreach


-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

More information about the Cerowrt-devel mailing list