master
parent
caacd92bc9
commit
3f0c737fd8
|
@ -1,4 +1,5 @@
|
|||
0.7 - Brielle Bruns <bruns@2mbit.com>
|
||||
- MSS Clamp on IPv6 as well
|
||||
- Beginning support for bogons filtering and updater
|
||||
script.
|
||||
|
||||
|
|
|
@ -20,7 +20,8 @@ FORWARD=1
|
|||
BLOCKINCOMING=1
|
||||
|
||||
# Clamp MSS, useful on DSL/VPN links
|
||||
#CLAMPMSS=ppp0
|
||||
# Space separated list of interfaces to apply this on
|
||||
#CLAMPMSS="ppp0 eth0"
|
||||
|
||||
# Do we run a LAN DHCP server?
|
||||
#LANDHCPSERVER=1
|
||||
|
@ -74,6 +75,11 @@ IPV6BLOCKINCOMING=1
|
|||
# Useful if clients do not have proper ipv6 firewalls.
|
||||
#IPV6ROUTEDCLIENTBLOCK=1
|
||||
|
||||
# Clamp MSS, useful on DSL/VPN links
|
||||
# Space separated list of interfaces to apply this on
|
||||
# it may be used eventually.
|
||||
#CLAMPMSSIPV6="he-ipv6"
|
||||
|
||||
# Interface IPv6 comes in on (either tunnel or real network interface)
|
||||
#IPV6INT=he-ipv6
|
||||
|
||||
|
|
35
rc.firewall
35
rc.firewall
|
@ -46,11 +46,21 @@ fi
|
|||
|
||||
if [ $CLAMPMSS ]; then
|
||||
echo "Clamping MSS to PMTU..."
|
||||
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
||||
--clamp-mss-to-pmtu
|
||||
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
||||
--clamp-mss-to-pmtu
|
||||
|
||||
for i in $CLAMPMSS; do
|
||||
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
||||
--clamp-mss-to-pmtu -o $i --mss 1400:1536
|
||||
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
||||
--clamp-mss-to-pmtu -o $i --mss 1400:1536
|
||||
# This is necessary to make sure that PMTU works
|
||||
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
|
||||
-o $i -j ACCEPT
|
||||
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
|
||||
-i $i -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
|
||||
-o $i -j ACCEPT
|
||||
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
|
||||
-i $i -j ACCEPT
|
||||
done
|
||||
#$IPTABLES -t mangle -o $CLAMPMSS -A FORWARD -p tcp \
|
||||
# --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 \
|
||||
# -j TCPMSS --clamp-mss-to-pmtu
|
||||
|
@ -152,10 +162,17 @@ fi
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
if [ $NAT ]; then
|
||||
for i in $NATRANGE; do
|
||||
$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
|
||||
done
|
||||
# This is necessary to make sure that PMTU works
|
||||
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
|
||||
-j ACCEPT
|
||||
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
|
||||
-o $NATEXTIF -j ACCEPT
|
||||
fi
|
||||
|
||||
$IPTABLES --policy INPUT ACCEPT
|
||||
|
@ -187,6 +204,14 @@ if [ $IPV6 ]; then
|
|||
done
|
||||
echo -ne "\n"
|
||||
|
||||
|
||||
if [ $CLAMPMSSIPV6 ]; then
|
||||
echo "Clamping IPv6 MSS to PMTU..."
|
||||
ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
||||
--clamp-mss-to-pmtu
|
||||
ip6tables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
||||
--clamp-mss-to-pmtu
|
||||
fi
|
||||
echo -n "Adding allowed IPv6 port: "
|
||||
|
||||
for i in $IPV6TCP; do
|
||||
|
|
Loading…
Reference in New Issue