From 50fd9abccbbc2526c1c4e70ca7b3c52f23c212ce Mon Sep 17 00:00:00 2001 From: bbruns Date: Tue, 2 Aug 2011 03:47:51 +0000 Subject: [PATCH] More tweaks to the NAT forward conntrack --- ChangeLog | 4 ++++ bin/firewall-sosdg | 14 ++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index f33c0b8..0ddb286 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 0.9.14 - Brielle Bruns - IPv6 DHCP bypass rules (IPV6_LANDHCPSERVER) + - Move FORWARD Established,Related rules to inside NAT rules, since without NAT, + we're not really going to need to track connections forwarding through the system. + I can probably be proven wrong if you don't use NAT but use the script for stateful + firewalling with non-RFC1918 IPs.... 0.9.13 - Brielle Bruns - Fix location of ipv6 fi statement, moved to end of ipv6 rules diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index b8ac58a..df2a3c9 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -346,7 +346,7 @@ if [ "$CONNTRACK" ]; then #$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT $IPTABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP - $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP + #$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP fi if [ -s "$BASEDIR/include/ipv4_custom_blockoutports" ]; then @@ -687,7 +687,9 @@ if [ $NAT ]; then SNAT) $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \ -o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} - $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j ACCEPT + $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j ACCEPT + $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j ACCEPT + $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j DROP display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}" if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \ @@ -706,7 +708,9 @@ if [ $NAT ]; then ;; MASQ) $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]} - $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j ACCEPT + $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j ACCEPT + $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j ACCEPT + $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j DROP display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}" if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \ @@ -725,7 +729,9 @@ if [ $NAT ]; then ;; NETMAP) $IPTABLES -A PREROUTING -t nat -s ${NAT_RULE[2]} -j NETMAP --to ${NAT_RULE[4]} - $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j ACCEPT + $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j ACCEPT + $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j ACCEPT + $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j DROP display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}" if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \