IPv6 support improved

master
bbruns 2010-10-13 20:27:41 +00:00
parent 26b9d2f22b
commit aa881a3a69
4 changed files with 43 additions and 4 deletions

View File

@ -1,6 +1,9 @@
0.9.9 - Brielle Bruns <bruns@2mbit.com> 0.9.9 - Brielle Bruns <bruns@2mbit.com>
- Loadable module support during firewall loading - Loadable module support during firewall loading
- More init script fixes. - More init script fixes.
- Non-conntracked DNS reply packets allow options
- Slightly improved IPv6 support to start to bring
it up to par with IPv4 support.Ã
0.9.8a - Brielle Bruns <bruns@2mbit.com> 0.9.8a - Brielle Bruns <bruns@2mbit.com>
- Fixing executable file permission issues - Fixing executable file permission issues

View File

@ -143,7 +143,6 @@ if [ "$DNS_REQUESTS_OUT" ]; then
display_c YELLOW "Adding DNS reply allows for trusted DNS servers.." display_c YELLOW "Adding DNS reply allows for trusted DNS servers.."
for i in $DNS_REQUESTS_OUT; do for i in $DNS_REQUESTS_OUT; do
if [[ "$i" =~ "|" ]]; then if [[ "$i" =~ "|" ]]; then
echo "Original variable: ${DNS_REQUESTS_OUT}"
IFS_OLD=${IFS};IFS=\| IFS_OLD=${IFS};IFS=\|
DNSREQ=($i) DNSREQ=($i)
IFS=${IFS_OLD} IFS=${IFS_OLD}
@ -599,6 +598,27 @@ if [ $IPV6 ]; then
. "$BASEDIR/include/ipv4_custom_blockip" . "$BASEDIR/include/ipv4_custom_blockip"
fi fi
if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.."
for i in $DNS_REQUESTS_OUT; do
if [[ "$i" =~ "|" ]]; then
IFS_OLD=${IFS};IFS=\|
DNSREQ=($i)
IFS=${IFS_OLD}
SRCIF=${DNSREQ[0]}
DNSIP_NUM=${#DNSREQ[@]}
DNSIP_COUNT_CURR=1
for ((i=$DNSIP_COUNT_CURR; i <= $DNSIP_NUM; i++)); do
if [ ${DNSREQ[$i]} ]; then
${IP6TABLES} -A INPUT -i ${SRCIF} -p udp --sport 53 -s ${DNSREQ[$i]} --destination-port 1024:65535 -j ACCEPT
fi
done
else
${IP6TABLES} -A INPUT -i $i -p udp --sport 53 --destination-port 1024:65535 -j ACCEPT
fi
done
fi
if [ "$BLOCKEDIPV6" ]; then if [ "$BLOCKEDIPV6" ]; then
display_c YELLOW "Adding blocked IPv6 addresses... " display_c YELLOW "Adding blocked IPv6 addresses... "
for i in `grep -v "\#" $BLOCKEDIPV6`; do for i in `grep -v "\#" $BLOCKEDIPV6`; do
@ -747,7 +767,12 @@ fi
. "$BASEDIR/include/ipv6_custom_conntrack" . "$BASEDIR/include/ipv6_custom_conntrack"
fi fi
if [ $IPV6ROUTEDCLIENTBLOCK ]; then if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
display_c YELLOW "Loading custom IPv6 conntrack rules..."
. "$BASEDIR/include/ipv6_custom_conntrack"
fi
if [ "$IPV6CONNTRACK" ]; then
$IP6TABLES -A INPUT -m state --state NEW -j ACCEPT $IP6TABLES -A INPUT -m state --state NEW -j ACCEPT
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
@ -757,6 +782,9 @@ fi
$IP6TABLES -A INPUT -m state --state INVALID -j DROP $IP6TABLES -A INPUT -m state --state INVALID -j DROP
$IP6TABLES -A OUTPUT -m state --state INVALID -j DROP $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
$IP6TABLES -A FORWARD -m state --state INVALID -j DROP $IP6TABLES -A FORWARD -m state --state INVALID -j DROP
fi
if [ $IPV6ROUTEDCLIENTBLOCK ]; then
$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP $IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
$IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP $IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP
$IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP $IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP

View File

@ -9,4 +9,4 @@ ipv4_custom_blockip ipv4_custom_mark
ipv6_custom_flush ipv6_custom_trust ipv6_custom_mssclamp ipv6_custom_flush ipv6_custom_trust ipv6_custom_mssclamp
ipv6_custom_blockoutports ipv6_custom_allowedports ipv6_custom_conntrack ipv6_custom_blockoutports ipv6_custom_allowedports ipv6_custom_conntrack
ipv6_custom_routing ipv6_custom_blockincoming ipv6_custom_routing ipv6_custom_blockincoming ipv6_custom_conntrack

View File

@ -54,7 +54,7 @@ IPTABLES_MULTIPORT=auto
# Allow outgoing DNS requests - important if you did not activate connection # Allow outgoing DNS requests - important if you did not activate connection
# tracking. Set this to the interfaces you wish to use for outgoing requests # tracking. Set this to the interfaces you wish to use for outgoing requests
# plus the IP addresses of your upstream servers (up to 3) if you need to. # plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
#DNS_REQUESTS_OUT="eth0|4.2.2.1|4.2.2.2|4.2.2.3 eth1" #DNS_REQUESTS_OUT="eth0|4.2.2.1|4.2.2.2|4.2.2.3 eth1"
# TCP/UDP/Protocol to allow # TCP/UDP/Protocol to allow
@ -129,6 +129,14 @@ IPV6=1
# IPv6 Forwarding # IPv6 Forwarding
#IPV6FORWARD=1 #IPV6FORWARD=1
# Do IPv6 connection tracking?
#IPV6CONNTRACK=1
# Allow outgoing DNS requests - important if you did not activate connection
# tracking. Set this to the interfaces you wish to use for outgoing requests
# plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
#IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1"
# Default block all incoming ipv6 connections? # Default block all incoming ipv6 connections?
IPV6BLOCKINCOMING=1 IPV6BLOCKINCOMING=1