IPv6 support improved
parent
26b9d2f22b
commit
aa881a3a69
|
@ -1,6 +1,9 @@
|
||||||
0.9.9 - Brielle Bruns <bruns@2mbit.com>
|
0.9.9 - Brielle Bruns <bruns@2mbit.com>
|
||||||
- Loadable module support during firewall loading
|
- Loadable module support during firewall loading
|
||||||
- More init script fixes.
|
- More init script fixes.
|
||||||
|
- Non-conntracked DNS reply packets allow options
|
||||||
|
- Slightly improved IPv6 support to start to bring
|
||||||
|
it up to par with IPv4 support.Ã
|
||||||
|
|
||||||
0.9.8a - Brielle Bruns <bruns@2mbit.com>
|
0.9.8a - Brielle Bruns <bruns@2mbit.com>
|
||||||
- Fixing executable file permission issues
|
- Fixing executable file permission issues
|
||||||
|
|
|
@ -143,7 +143,6 @@ if [ "$DNS_REQUESTS_OUT" ]; then
|
||||||
display_c YELLOW "Adding DNS reply allows for trusted DNS servers.."
|
display_c YELLOW "Adding DNS reply allows for trusted DNS servers.."
|
||||||
for i in $DNS_REQUESTS_OUT; do
|
for i in $DNS_REQUESTS_OUT; do
|
||||||
if [[ "$i" =~ "|" ]]; then
|
if [[ "$i" =~ "|" ]]; then
|
||||||
echo "Original variable: ${DNS_REQUESTS_OUT}"
|
|
||||||
IFS_OLD=${IFS};IFS=\|
|
IFS_OLD=${IFS};IFS=\|
|
||||||
DNSREQ=($i)
|
DNSREQ=($i)
|
||||||
IFS=${IFS_OLD}
|
IFS=${IFS_OLD}
|
||||||
|
@ -599,6 +598,27 @@ if [ $IPV6 ]; then
|
||||||
. "$BASEDIR/include/ipv4_custom_blockip"
|
. "$BASEDIR/include/ipv4_custom_blockip"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
|
||||||
|
display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.."
|
||||||
|
for i in $DNS_REQUESTS_OUT; do
|
||||||
|
if [[ "$i" =~ "|" ]]; then
|
||||||
|
IFS_OLD=${IFS};IFS=\|
|
||||||
|
DNSREQ=($i)
|
||||||
|
IFS=${IFS_OLD}
|
||||||
|
SRCIF=${DNSREQ[0]}
|
||||||
|
DNSIP_NUM=${#DNSREQ[@]}
|
||||||
|
DNSIP_COUNT_CURR=1
|
||||||
|
for ((i=$DNSIP_COUNT_CURR; i <= $DNSIP_NUM; i++)); do
|
||||||
|
if [ ${DNSREQ[$i]} ]; then
|
||||||
|
${IP6TABLES} -A INPUT -i ${SRCIF} -p udp --sport 53 -s ${DNSREQ[$i]} --destination-port 1024:65535 -j ACCEPT
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
${IP6TABLES} -A INPUT -i $i -p udp --sport 53 --destination-port 1024:65535 -j ACCEPT
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$BLOCKEDIPV6" ]; then
|
if [ "$BLOCKEDIPV6" ]; then
|
||||||
display_c YELLOW "Adding blocked IPv6 addresses... "
|
display_c YELLOW "Adding blocked IPv6 addresses... "
|
||||||
for i in `grep -v "\#" $BLOCKEDIPV6`; do
|
for i in `grep -v "\#" $BLOCKEDIPV6`; do
|
||||||
|
@ -747,7 +767,12 @@ fi
|
||||||
. "$BASEDIR/include/ipv6_custom_conntrack"
|
. "$BASEDIR/include/ipv6_custom_conntrack"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $IPV6ROUTEDCLIENTBLOCK ]; then
|
if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
|
||||||
|
display_c YELLOW "Loading custom IPv6 conntrack rules..."
|
||||||
|
. "$BASEDIR/include/ipv6_custom_conntrack"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$IPV6CONNTRACK" ]; then
|
||||||
$IP6TABLES -A INPUT -m state --state NEW -j ACCEPT
|
$IP6TABLES -A INPUT -m state --state NEW -j ACCEPT
|
||||||
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
$IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
$IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
@ -757,6 +782,9 @@ fi
|
||||||
$IP6TABLES -A INPUT -m state --state INVALID -j DROP
|
$IP6TABLES -A INPUT -m state --state INVALID -j DROP
|
||||||
$IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
|
$IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
|
||||||
$IP6TABLES -A FORWARD -m state --state INVALID -j DROP
|
$IP6TABLES -A FORWARD -m state --state INVALID -j DROP
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $IPV6ROUTEDCLIENTBLOCK ]; then
|
||||||
$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
|
$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
|
||||||
$IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP
|
$IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP
|
||||||
$IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP
|
$IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP
|
||||||
|
|
|
@ -9,4 +9,4 @@ ipv4_custom_blockip ipv4_custom_mark
|
||||||
|
|
||||||
ipv6_custom_flush ipv6_custom_trust ipv6_custom_mssclamp
|
ipv6_custom_flush ipv6_custom_trust ipv6_custom_mssclamp
|
||||||
ipv6_custom_blockoutports ipv6_custom_allowedports ipv6_custom_conntrack
|
ipv6_custom_blockoutports ipv6_custom_allowedports ipv6_custom_conntrack
|
||||||
ipv6_custom_routing ipv6_custom_blockincoming
|
ipv6_custom_routing ipv6_custom_blockincoming ipv6_custom_conntrack
|
||||||
|
|
|
@ -54,7 +54,7 @@ IPTABLES_MULTIPORT=auto
|
||||||
|
|
||||||
# Allow outgoing DNS requests - important if you did not activate connection
|
# Allow outgoing DNS requests - important if you did not activate connection
|
||||||
# tracking. Set this to the interfaces you wish to use for outgoing requests
|
# tracking. Set this to the interfaces you wish to use for outgoing requests
|
||||||
# plus the IP addresses of your upstream servers (up to 3) if you need to.
|
# plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
|
||||||
#DNS_REQUESTS_OUT="eth0|4.2.2.1|4.2.2.2|4.2.2.3 eth1"
|
#DNS_REQUESTS_OUT="eth0|4.2.2.1|4.2.2.2|4.2.2.3 eth1"
|
||||||
|
|
||||||
# TCP/UDP/Protocol to allow
|
# TCP/UDP/Protocol to allow
|
||||||
|
@ -129,6 +129,14 @@ IPV6=1
|
||||||
# IPv6 Forwarding
|
# IPv6 Forwarding
|
||||||
#IPV6FORWARD=1
|
#IPV6FORWARD=1
|
||||||
|
|
||||||
|
# Do IPv6 connection tracking?
|
||||||
|
#IPV6CONNTRACK=1
|
||||||
|
|
||||||
|
# Allow outgoing DNS requests - important if you did not activate connection
|
||||||
|
# tracking. Set this to the interfaces you wish to use for outgoing requests
|
||||||
|
# plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
|
||||||
|
#IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1"
|
||||||
|
|
||||||
# Default block all incoming ipv6 connections?
|
# Default block all incoming ipv6 connections?
|
||||||
IPV6BLOCKINCOMING=1
|
IPV6BLOCKINCOMING=1
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue