RFC 1918 space blocking

ChangeLog

@@ -1,3 +1,7 @@
+0.9.8 - Brielle Bruns <bruns@2mbit.com>
+	- Almost at v1.0 quality for my tastes
+	- BLOCK_(INCOMING/OUTGOING)_RFC1918 options to help sure up security of LAN space leakage
+
 0.9.7 - Brielle Bruns <bruns@2mbit.com>
 	- Support for marking packets, uses new config file and
 	  IPv4_MARK file option

bin/firewall-sosdg

@@ -18,7 +18,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FW_VERSION="0.9.7"
+FW_VERSION="0.9.8"
 
 # These option is here to help pre-1.0 users easily upgrade, defines critical defaults
 # that would otherwise require remaking their options file.  I leave this on by default,
@@ -145,6 +145,33 @@ if [ $BLOCKEDIP ]; then
 echo -ne "\n"
 fi
 
+
+if [ "$BLOCK_OUTGOING_RFC1918" ]; then
+	display_c YELLOW "Blocking RFC1918 space going out on: " N
+		for i in $BLOCK_OUTGOING_RFC1918; do
+			display_c BLUE "$i" N
+			for x in $RFC1918_SPACE; do
+				$IPTABLES -A OUTPUT -d $i -s $x -j DROP
+				$IPTABLES -A FORWARD -d $i -s $x -j DROP
+			done
+		done
+		echo -ne "\n"
+		unset i x
+fi
+
+if [ "$BLOCK_INCOMING_RFC1918" ]; then
+	display_c YELLOW "Blocking RFC1918 space coming in on: " N
+		for i in $BLOCK_INCOMING_RFC1918; do
+			display_c BLUE "$i" N
+			for x in $RFC1918_SPACE; do
+				$IPTABLES -A OUTPUT -s $i -s $x -j DROP
+				$IPTABLES -A FORWARD -s $i -s $x -j DROP
+			done
+		done
+		echo -ne "\n"
+		unset i x
+fi
+
 if [ "$STRIPECN" ]; then
 	display_c YELLOW "Stripping ECN off of TCP packets to " N
 	for i in $STRIPECN; do

include/static

@@ -51,4 +51,7 @@ PROC_NET_IPV4="/proc/sys/net/ipv4/conf"
 
 # Multiport options - override in options
 NF_MULTIPORT="xt_multiport"
-NF_MULTIPORT_MAX_PORTS="7"
+NF_MULTIPORT_MAX_PORTS="7"
+
+# RFC 1918 Space
+RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"

options.default

@@ -82,7 +82,6 @@ IPv4_MARK=$BASEDIR/ipv4-marks
 #
 HACK_IPV4="NS-IN-DDOS"
 
-
 #==============
 # Obsolete - DO NOT USE ANYMORE. Will be removed in 1.0
 # IP ranges(s) to NAT using SNAT.
@@ -97,7 +96,6 @@ HACK_IPV4="NS-IN-DDOS"
 # MASQ:<INT IF>:<INT IP>:<EXT IF>
 #NAT_RANGE=
 
-
 # IP Ranges to block all traffic incoming/outgoing
 BLOCKEDIP=$BASEDIR/blocked
 
@@ -109,6 +107,20 @@ BLOCKEDIP=$BASEDIR/blocked
 # Either individual IPs or 0.0.0.0/0
 STRIPECN="0.0.0.0/0"
 
+# Block private LAN traffic (RFC reserved space) going OUT on these interfaces
+# for security reasons.  This has the potential to cause issues if your
+# provider uses private IP space for uplinks in PPPoE/PPPoA, so don't use it
+# and use BLOCK_INCOMING_RFC1981 instead.
+#BLOCK_OUTGOING_RFC1918="ppp0"
+
+# Block private LAN traffic (RFC reserved space) coming IN on these interfaces
+# for security reasons.  This is a bit more safer to use if your provider uses
+# private IP space for the other end of PPP links.
+#BLOCK_INCOMING_RFC1918="ppp0"
+
+# RFC1918 Space override, don't change or uncomment this unless you absolutely need to
+#RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
+
 
 # IPv6 related features.  Commenting out IPV6 variable disables ALL
 # IPv6 related items