Saturday, February 18, 2023

linux GRE interface TX error( the issue and resolution )

 So I was doing some work for a friend of mine in the Market Delivery Network who's using a linux host and we ran into an issue where our ipsec tunnel was up but the GRE encapsulation over the tunnel was not working.

We had put this design into place over 2 years ago and it was moved to a new host and had issues. So I was scratching my head to figure out what was happening.


What we found was the gre interface had TX errors;


So after hours and hours recreating the gre interface, I finally figured out the SRC IP of our GRE1 interface was not configured. So the tunnel had no means to source the gre traffic


Once we set up the src.ip on a dummy interface, the tunnel came up and our pim neighborship was established


sample dummy1 interface sysconfig;



[root@host01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-dummy1

DEVICE=dummy0

NM_CONTROLLED=no

ONBOOT=yes

TYPE=Ethernet

BRIDGE=virbr10

IPV6INIT=no

IPADDR=10.247.0.39

NETMASK=255.255.255.255


Sample ipsec.conf strongswan


# CERT FEEDS 69.50.112.0/25

# CERT/NR A-Feed/B-Feed MDP Source Range


#CERT FEEDS 69.50.112.128/25 CERT/NR Mediator IP Source Range

# 


#CERT FEEDS 69.50.112.254/32 CERT/NR A-Feed/B-Feed RP


conn CERT01

     type=tunnel

     compress=no

     authby=secret

     left=<my public address>

     right=164.74.129.26

     ikelifetime=86400s

     lifetime=3600s

     keyexchange=ikev1

     keyingtries=%forever

     rekey=yes

     auto=start

     ike=aes256-sha1-modp1024

     esp=aes256-sha1

     #dpdtimeout= 120s

     #dpdaction=restart



conn CERT01A    


# phase2 for unicast traffic e.g order entry CME group


     leftsubnet=10.247.39.64/26

     rightsubnet=69.50.112.128/25

     also=CERT01


# phase2 for GRE and multicast CME group


conn CERT01B

     leftsubnet=10.247.0.39/32

     rightsubnet=10.247.254.1/32

     also=CERT01

     leftupdown=/etc/strongswan/cme_mcast.sh






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:

Sunday, February 5, 2023

Cloudflare IPs list

 For proper protection with cloudflare CDN you should provide rules to allow only the cloudflare address to reach your server. Do not use ANY or ALL as a source address.



1st cloud flare  ORIGIN AS13335 and we have a list of address that belong to CloudFlare CDN



kfelix@kfelixs-MacBook-Air ~ % whois -h whois.radb.net AS13335 

aut-num:        AS13335

as-name:        CLOUDFLARENET-AS

descr:          Cloudflare, Inc.

descr:          101 Townsend Street, San Francisco, CA 94107, US

status:         OTHER

( output snipped ) 



Next, we can grab all ipv4/v6 address from one of two ways



1: via curl


reisfelix@consultnt ~ % curl -o cdn-v4.file https://www.cloudflare.com/ips-v4                    

173.245.48.0/20

103.21.244.0/22

103.22.200.0/22

103.31.4.0/22

141.101.64.0/18

108.162.192.0/18

190.93.240.0/20

188.114.96.0/20

197.234.240.0/22

198.41.128.0/17

162.158.0.0/15

104.16.0.0/13

104.24.0.0/14

172.64.0.0/13

131.0.72.0/22


( for ipv6 if you have ipv6 hosted web servers use the below string ) 


reisfelix@consultnt ~ % curl -o cdn-v6.file https://www.cloudflare.com/ips-v6 


or by query against the cloudflare CDN AS


ipv4

whois -h whois.radb.net '!gAS13335'

ipv6

whois -h whois.radb.net '!6AS13335'



Next you will use these addresses in your rule to filter and allow only cloudflare addresses to hit your public webserver.



e.g # fortigate 


config firewall policy

    edit 10

        set name "CDN PROTECTION CLOUDFLARE"

        set uuid 333cdb5a-c602-51ea-95d4-b967c36245b5

        set srcintf "wan"

        set dstintf "DMZ"

        set srcaddr "CLOUDFLARE_ADDRESS_GROUP"

        set dstaddr "NET-WEB"

        set action accept

        set schedule "always"

        set service "HTTP" "HTTPS" "HTTP8080"

    next

end


In this example above the "CLOUDFLARE_ADDRESS_GROUP" contains our ipv4/ipv6 addresess


For adding multiple addresses at one time we can bulk create addresses or even loop them thru a API call



e.g # using a bash script to make an address




#!/bin/bash

#

#


 for p in `cat cdn-v4.file `;

# cdn.file contains your ipv4 address


do


 echo " config firewall address"

 echo " edit $p "

 echo " set subnet $p "

 echo " set comment CDN_CLOUDFLARE"

 echo " end"


# let's create our group


 echo " config firewall addrgrp "

 echo " edit CLOUDFLARE_ADDRESS_GROUP"

 echo " append member $p "

 echo " end"


done 




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \



Posted by at No comments:
Subscribe to: Posts (Atom)