master
parent
caacd92bc9
commit
3f0c737fd8
|
@ -1,4 +1,5 @@
|
||||||
0.7 - Brielle Bruns <bruns@2mbit.com>
|
0.7 - Brielle Bruns <bruns@2mbit.com>
|
||||||
|
- MSS Clamp on IPv6 as well
|
||||||
- Beginning support for bogons filtering and updater
|
- Beginning support for bogons filtering and updater
|
||||||
script.
|
script.
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,8 @@ FORWARD=1
|
||||||
BLOCKINCOMING=1
|
BLOCKINCOMING=1
|
||||||
|
|
||||||
# Clamp MSS, useful on DSL/VPN links
|
# Clamp MSS, useful on DSL/VPN links
|
||||||
#CLAMPMSS=ppp0
|
# Space separated list of interfaces to apply this on
|
||||||
|
#CLAMPMSS="ppp0 eth0"
|
||||||
|
|
||||||
# Do we run a LAN DHCP server?
|
# Do we run a LAN DHCP server?
|
||||||
#LANDHCPSERVER=1
|
#LANDHCPSERVER=1
|
||||||
|
@ -74,6 +75,11 @@ IPV6BLOCKINCOMING=1
|
||||||
# Useful if clients do not have proper ipv6 firewalls.
|
# Useful if clients do not have proper ipv6 firewalls.
|
||||||
#IPV6ROUTEDCLIENTBLOCK=1
|
#IPV6ROUTEDCLIENTBLOCK=1
|
||||||
|
|
||||||
|
# Clamp MSS, useful on DSL/VPN links
|
||||||
|
# Space separated list of interfaces to apply this on
|
||||||
|
# it may be used eventually.
|
||||||
|
#CLAMPMSSIPV6="he-ipv6"
|
||||||
|
|
||||||
# Interface IPv6 comes in on (either tunnel or real network interface)
|
# Interface IPv6 comes in on (either tunnel or real network interface)
|
||||||
#IPV6INT=he-ipv6
|
#IPV6INT=he-ipv6
|
||||||
|
|
||||||
|
|
35
rc.firewall
35
rc.firewall
|
@ -46,11 +46,21 @@ fi
|
||||||
|
|
||||||
if [ $CLAMPMSS ]; then
|
if [ $CLAMPMSS ]; then
|
||||||
echo "Clamping MSS to PMTU..."
|
echo "Clamping MSS to PMTU..."
|
||||||
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
for i in $CLAMPMSS; do
|
||||||
--clamp-mss-to-pmtu
|
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
||||||
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
--clamp-mss-to-pmtu -o $i --mss 1400:1536
|
||||||
--clamp-mss-to-pmtu
|
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
||||||
|
--clamp-mss-to-pmtu -o $i --mss 1400:1536
|
||||||
|
# This is necessary to make sure that PMTU works
|
||||||
|
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
|
||||||
|
-o $i -j ACCEPT
|
||||||
|
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
|
||||||
|
-i $i -j ACCEPT
|
||||||
|
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
|
||||||
|
-o $i -j ACCEPT
|
||||||
|
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
|
||||||
|
-i $i -j ACCEPT
|
||||||
|
done
|
||||||
#$IPTABLES -t mangle -o $CLAMPMSS -A FORWARD -p tcp \
|
#$IPTABLES -t mangle -o $CLAMPMSS -A FORWARD -p tcp \
|
||||||
# --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 \
|
# --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 \
|
||||||
# -j TCPMSS --clamp-mss-to-pmtu
|
# -j TCPMSS --clamp-mss-to-pmtu
|
||||||
|
@ -152,10 +162,17 @@ fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ $NAT ]; then
|
if [ $NAT ]; then
|
||||||
for i in $NATRANGE; do
|
for i in $NATRANGE; do
|
||||||
$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
|
$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
|
||||||
done
|
done
|
||||||
|
# This is necessary to make sure that PMTU works
|
||||||
|
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
|
||||||
|
-j ACCEPT
|
||||||
|
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
|
||||||
|
-o $NATEXTIF -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
$IPTABLES --policy INPUT ACCEPT
|
$IPTABLES --policy INPUT ACCEPT
|
||||||
|
@ -187,6 +204,14 @@ if [ $IPV6 ]; then
|
||||||
done
|
done
|
||||||
echo -ne "\n"
|
echo -ne "\n"
|
||||||
|
|
||||||
|
|
||||||
|
if [ $CLAMPMSSIPV6 ]; then
|
||||||
|
echo "Clamping IPv6 MSS to PMTU..."
|
||||||
|
ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
||||||
|
--clamp-mss-to-pmtu
|
||||||
|
ip6tables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
||||||
|
--clamp-mss-to-pmtu
|
||||||
|
fi
|
||||||
echo -n "Adding allowed IPv6 port: "
|
echo -n "Adding allowed IPv6 port: "
|
||||||
|
|
||||||
for i in $IPV6TCP; do
|
for i in $IPV6TCP; do
|
||||||
|
|
Loading…
Reference in New Issue