Pages

16/04/2018

Faking a routed subnet with OVH / SoYouStart

I am currently in the process of decommissioning my trusty SoYouStart server (Part of OVH) so I thought I'd best document some of the stuff that may be useful in future.

You can purchase additional IP addresses off SoYouStart (SYS) however they work a little differently to the norm. I think the best way to describe it is they use static ARP to associate a public IP with a MAC address, and drop any traffic from a public IP unless its originating from the same MAC that was statically mapped. Because of this, the gateway isn't in the same subnet as the public IP range.

Before being decommissioned I was using the server as a VM Host and to mimic a 'real' setup I wanted a virtualised router / firewall between the internet and the Virtual Machines. Those of you that follow my blog will know I am a Mikrotik fanboy, so I decided to use the Mikrotik CHR (Cloud Hosted Router) as it was cheap and flexible.

To get this working I purchased an additional /32 for the routers 'external' interface and a /28 for the routers 'internal' interface. It's also required to reconfigure the SYS server's network configuration to use a bridge rather than having its IP directly on the interface.



Disclaimer: This is not a full guide, and should be considered "inspiration"


SoYouStart


Server

First of all edit the interfaces file:
vim /etc/network/interfaces

And make sure it looks something like the example below. You should copy your configuration from eth0, only changing what's necessary. Be warned this is the riskiest part of the operation, messing it up could lock you out of the server.
auto lo
iface lo inet loopback

auto br0
iface br0 inet static
        address 188.165.212.10
        netmask 255.255.255.0
        network 188.165.212.0
        broadcast 188.165.212.255
        gateway 188.165.212.254
        pre-up iptables-restore < /etc/iptables.rules
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off


        iface br0 inet6 static
        address 2001:41D0:2:9F0a::
        netmask 64
        pre-up ip6tables-restore < /etc/iptables6.rules
        post-up /sbin/ip -f inet6 route add 2001:41D0:2:9Fff:ff:ff:ff:ff dev br0
        post-up /sbin/ip -f inet6 route add default via 2001:41D0:2:9Fff:ff:ff:ff:ff
        pre-down /sbin/ip -f inet6 route del default via 2001:41D0:2:9Fff:ff:ff:ff:ff
        pre-down /sbin/ip -f inet6 route del 2001:41D0:2:9Fff:ff:ff:ff:ff dev br0

#Public DMZ Bridge
auto br1
iface br1 inet manual
        bridge_ports none
        bridge_stp on

Edit the iptables rules:
vim /etc/iptables.rules

Add your rules, using the following for inspiration:
*filter

# Set default Actions
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
# Allow established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP
-A INPUT -p icmp -j ACCEPT

# Allow loopback traffic
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow connections to SSH from ANYWHERE
-A INPUT -s 0.0.0.0/0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

# Allow connections to SNMP from 5.39.23.167/32 (Cacti)
-A INPUT -s 5.39.23.167/32 -p udp -m udp --dport 161  -m state --state NEW -j ACCEPT

# Allow connections from trusted locations to VNC ports
-A INPUT -s 80.229.147.168/32 -m state -p tcp --dport 5900:6000 --state NEW -j ACCEPT
-A INPUT -s 5.39.23.164/32 -m state -p tcp --dport 5900:6000 --state NEW -j ACCEPT

# Allow all traffic to and from the routed subnet
-A FORWARD -s 0.0.0.0/0 -d 5.39.23.160/28 -j ACCEPT
-A FORWARD -s 5.39.23.160/28 -d 0.0.0.0/0 -j ACCEPT

# Allow all traffic to and from the router
-A FORWARD -s 0.0.0.0/0 -d 94.23.156.35/32 -j ACCEPT -A FORWARD -s 94.23.156.35/32 -d 0.0.0.0/0 -j ACCEPT
# Drop everything else
-A INPUT -j DROP
-A FORWARD -j ACCEPT
COMMIT


Edit the iptables rules for IPv6:
vim /etc/iptables6.rules

Add your rules, using the following inspiration. Note I'm dropping all IPv6 with the exception of ICMP, because I'm a terrible person that doesn't support IPv6:
* filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:512]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow anything on the local link
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow Link-Local addresses
-A INPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -s fe80::/10 -j ACCEPT

# Allow ICMP
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A FORWARD -p icmpv6 -j ACCEPT

# Drop everything else
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Router

Add the IP that was issue as the /32 onto the WAN interface of the router. This should be connected to br0 of the physical host. For RouterOS, this command looks like this:
/ip address
add address=94.23.156.35 comment=WAN interface=WAN network=188.165.212.254

Add the IPs issued as the /28 onto the DMZ interface of the router. This should be connected to br1 of the physical host. For RouterOS, this command looks like this:
/ip address
add address=5.39.23.161/28 interface=DMZ network=5.39.23.160

Virtual Machines

Any virtual machine that requires a public IP should then be attached to the br1 interface on the host, and statically assigned a public IP from the available /28 subnet, using the DMZ IP of the router as the default gateway. You will also need to assign the MAC address of external interface of the router to each IP of the subnet in the SoYouStart admin panel.

No comments:

Post a comment