From b90a98cedc1bb6f93fb2399ee02834ef27a27eba Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Tue, 15 Jun 2021 11:52:48 +0200 Subject: [PATCH] Disable IPv6 forwarding on node 2 Signed-off-by: Yohann D'ANELLO --- firewall/restrict-http.conf | 5 +++-- start.sh | 9 ++++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/firewall/restrict-http.conf b/firewall/restrict-http.conf index 676ca24..55c9081 100755 --- a/firewall/restrict-http.conf +++ b/firewall/restrict-http.conf @@ -8,8 +8,9 @@ table inet filter { } chain forward { type filter hook forward priority 0; policy accept - ip6 saddr fd00:42::/32 dport { 80 } reject; - ip6 daddr fd00:42::/32 dport { 80 } reject; + ip daddr 172.17.0.0/30 tcp dport { 80 } accept; + tcp dport { 0-65535 } reject; + udp dport { 0-65535 } reject; accept } chain output { diff --git a/start.sh b/start.sh index 877fd42..d6dcb2a 100755 --- a/start.sh +++ b/start.sh @@ -112,8 +112,11 @@ tmux send-keys -t ns1 "ip route add 172.17.2.0/24 via 172.17.1.2 dev vde1 proto ip route add 172.17.1.0/24 via 172.17.0.2 ip route add 172.17.2.0/24 via 172.17.0.2 -# Restrict HTTP transport on node 2 +# Restrict HTTP transport on nodes 2 and 3 tmux send-keys -t ns2 "nft -f $dir/firewall/restrict-http.conf" Enter +tmux send-keys -t ns3 "nft -f $dir/firewall/restrict-http.conf" Enter +# Disable ip forwarding on node 2, woops +tmux send-keys -t ns2 "sleep 10 && sysctl -w net.ipv6.conf.all.forwarding=0" Enter for i in 1 2 3 4; do mkdir -p $dir/certs/node$i $dir/states/node$i @@ -125,8 +128,8 @@ for i in 1 2 3 4; do sleep 15 fi tmux split-window -h -t ns$i nsenter -t `cat $dir/run/node$i.pid` --net - subnet=1 - if [[ $i == 4 ]]; then subnet=2; fi + subnet=2 + if [[ $i == 1 ]]; then subnet=1; fi tmux send-keys -t ns$i "re6stnet --registry http://172.17.0.1 --ip 172.17.$subnet.$i --ca $dir/certs/node$i/ca.crt --cert $dir/certs/node$i/cert.crt --key $dir/certs/node$i/cert.key --state $dir/states/node$i --log $dir/log/node$i --run $dir/run/re6stnet-node$i.pid" Enter tmux select-pane -t ns$i -L done