bruns@2mbit.com 2010-05-15 17:07:40 +00:00
parent caacd92bc9
commit 3f0c737fd8
3 changed files with 38 additions and 6 deletions

View File

@ -1,4 +1,5 @@
0.7 - Brielle Bruns <bruns@2mbit.com> 0.7 - Brielle Bruns <bruns@2mbit.com>
- MSS Clamp on IPv6 as well
- Beginning support for bogons filtering and updater - Beginning support for bogons filtering and updater
script. script.

View File

@ -20,7 +20,8 @@ FORWARD=1
BLOCKINCOMING=1 BLOCKINCOMING=1
# Clamp MSS, useful on DSL/VPN links # Clamp MSS, useful on DSL/VPN links
#CLAMPMSS=ppp0 # Space separated list of interfaces to apply this on
#CLAMPMSS="ppp0 eth0"
# Do we run a LAN DHCP server? # Do we run a LAN DHCP server?
#LANDHCPSERVER=1 #LANDHCPSERVER=1
@ -74,6 +75,11 @@ IPV6BLOCKINCOMING=1
# Useful if clients do not have proper ipv6 firewalls. # Useful if clients do not have proper ipv6 firewalls.
#IPV6ROUTEDCLIENTBLOCK=1 #IPV6ROUTEDCLIENTBLOCK=1
# Clamp MSS, useful on DSL/VPN links
# Space separated list of interfaces to apply this on
# it may be used eventually.
#CLAMPMSSIPV6="he-ipv6"
# Interface IPv6 comes in on (either tunnel or real network interface) # Interface IPv6 comes in on (either tunnel or real network interface)
#IPV6INT=he-ipv6 #IPV6INT=he-ipv6

View File

@ -46,11 +46,21 @@ fi
if [ $CLAMPMSS ]; then if [ $CLAMPMSS ]; then
echo "Clamping MSS to PMTU..." echo "Clamping MSS to PMTU..."
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ for i in $CLAMPMSS; do
--clamp-mss-to-pmtu $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ --clamp-mss-to-pmtu -o $i --mss 1400:1536
--clamp-mss-to-pmtu $IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
--clamp-mss-to-pmtu -o $i --mss 1400:1536
# This is necessary to make sure that PMTU works
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
-o $i -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
-i $i -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
-o $i -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
-i $i -j ACCEPT
done
#$IPTABLES -t mangle -o $CLAMPMSS -A FORWARD -p tcp \ #$IPTABLES -t mangle -o $CLAMPMSS -A FORWARD -p tcp \
# --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 \ # --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 \
# -j TCPMSS --clamp-mss-to-pmtu # -j TCPMSS --clamp-mss-to-pmtu
@ -152,10 +162,17 @@ fi
if [ $NAT ]; then if [ $NAT ]; then
for i in $NATRANGE; do for i in $NATRANGE; do
$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP $IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
done done
# This is necessary to make sure that PMTU works
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
-j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
-o $NATEXTIF -j ACCEPT
fi fi
$IPTABLES --policy INPUT ACCEPT $IPTABLES --policy INPUT ACCEPT
@ -187,6 +204,14 @@ if [ $IPV6 ]; then
done done
echo -ne "\n" echo -ne "\n"
if [ $CLAMPMSSIPV6 ]; then
echo "Clamping IPv6 MSS to PMTU..."
ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
--clamp-mss-to-pmtu
ip6tables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
--clamp-mss-to-pmtu
fi
echo -n "Adding allowed IPv6 port: " echo -n "Adding allowed IPv6 port: "
for i in $IPV6TCP; do for i in $IPV6TCP; do