IPv6 variable rename plus compattibility settings in static

master
bbruns 2010-10-13 21:15:10 +00:00
parent c2dc9a4fd6
commit fc6b4ed4ce
4 changed files with 54 additions and 63 deletions

View File

@ -3,8 +3,9 @@
- More init script fixes.
- Non-conntracked DNS reply packets allow options
- Slightly improved IPv6 support to start to bring
it up to par with IPv4 support.Ã
it up to par with IPv4 support.
- ipv6 marking support, changed ipv4 to use | instead of :
- Renamed IPV6 variables, compatibility in place for now in static file
0.9.8a - Brielle Bruns <bruns@2mbit.com>
- Fixing executable file permission issues

View File

@ -618,10 +618,14 @@ if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
fi
done
fi
if [ "$BLOCKEDIPV6" ]; then
if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then
display_c YELLOW "Loading custom IPv6 blocked outbound port rules..."
. "$BASEDIR/include/ipv6_custom_blockoutports"
fi
if [ "$IPV6_BLOCKEDIP" ]; then
display_c YELLOW "Adding blocked IPv6 addresses... "
for i in `grep -v "\#" $BLOCKEDIPV6`; do
for i in `grep -v "\#" $IPV6_BLOCKEDIP`; do
if [[ "$i" =~ "|" ]]; then
IFS_OLD=${IFS};IFS=\|
ADVBLKIP=($i)
@ -678,9 +682,9 @@ fi
. "$BASEDIR/include/ipv6_custom_mssclamp"
fi
if [ "$CLAMPMSSIPV6" ]; then
if [ "$IPV6_CLAMPMSS" ]; then
display_c YELLOW "Clamping IPV6 MSS to PMTU..."
for i in $CLAMPMSSIPV6; do
for i in $IPV6_CLAMPMSS; do
$IP6TABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
--mss 1280:1536
@ -699,36 +703,15 @@ fi
done
fi
if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then
display_c YELLOW "Loading custom IPv6 blocked outbound port rules..."
. "$BASEDIR/include/ipv6_custom_blockoutports"
fi
if [ "$BLOCKIPV6TCPPORTS" ] || [ "$BLOCKIPV6UDPPORTS" ]; then
display_c YELLOW "Blocking outbound port: " N
if [ "$BLOCKIPV6TCPPORTS" ]; then
for i in $BLOCKIPV6TCPPORTS; do
echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
$IP6TABLES -A OUTPUT -p tcp --dport $i --syn -j DROP
done
fi
if [ "$BLOCKIPV6UDPPORTS" ]; then
for i in $BLOCKIPV6UDPPORTS; do
echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
$IP6TABLES -A OUTPUT -p udp --dport $i -j DROP
done
fi
reset_color
fi
if [ -s "$BASEDIR/include/ipv6_custom_allowedports" ]; then
display_c YELLOW "Loading custom IPv6 allowed port rules..."
. "$BASEDIR/include/ipv6_custom_allowedports"
fi
if [ "$IPV6TCP" ] || [ "$IPV6UDP" ]; then
if [ "$IPV6_TCPPORTS" ] || [ "$IPV6_UDPPORTS" ]; then
display_c YELLOW "Adding allowed IPv6 port: " N
if [ "$IPV6TCP" ]; then
if [ "$IPV6_TCPPORTS" ]; then
if [ "$IPTABLES_MULTIPORT" == "yes" ] && [ "$NF_MULTIPORT_MAX_PORTS" ]; then
IPV6TCP=($IPV6TCP)
IPV6_TCPPORTS=($IPV6_TCPPORTS)
PORTS_COUNT=${#IPV6TCP[@]}
PORTS_COUNT_CURR=0
while (( "$PORTS_COUNT_CURR" < "$PORTS_COUNT" )); do
@ -750,8 +733,8 @@ fi
$IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT
done
fi
if [ "$IPV6UDP" ]; then
for i in $IPV6UDP; do
if [ "$IPV6_UDPPORTS" ]; then
for i in $IPV6_UDPPORTS; do
echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
$IP6TABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
$IP6TABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
@ -767,9 +750,9 @@ fi
. "$BASEDIR/include/ipv6_custom_mark"
fi
if [ -r "$IPv6_MARK" ]; then
if [ -r "$IPV6_MARK" ]; then
display_c YELLOW "Adding IPv6 mark: "
for i in `grep -v "\#" $IPv6_MARK`; do
for i in `grep -v "\#" $IPV6_MARK`; do
MARK=( ${i//|/ } )
INIF=${MARK[0]}
INIP=${MARK[1]}
@ -798,7 +781,7 @@ fi
. "$BASEDIR/include/ipv6_custom_conntrack"
fi
if [ "$IPV6CONNTRACK" ]; then
if [ "$IPV6_CONNTRACK" ]; then
$IP6TABLES -A INPUT -m state --state NEW -j ACCEPT
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
@ -810,7 +793,7 @@ fi
$IP6TABLES -A FORWARD -m state --state INVALID -j DROP
fi
if [ $IPV6ROUTEDCLIENTBLOCK ]; then
if [ $IPV6_ROUTEDCLIENTBLOCK ]; then
$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
$IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP
$IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP
@ -823,8 +806,8 @@ fi
display_c YELLOW "Loading custom IPv6 routing rules..."
. "$BASEDIR/include/ipv6_custom_routing"
fi
if [ "$IPV6FORWARDRANGE" ]; then
for i in $IPV6FORWARDRANGE; do
if [ "$IPV6_FORWARDRANGE" ]; then
for i in $IPV6_FORWARDRANGE; do
$IP6TABLES -A FORWARD -s $i -j ACCEPT
$IP6TABLES -A FORWARD -d $i -j ACCEPT
done
@ -834,7 +817,7 @@ fi
display_c YELLOW "Loading custom IPv6 incoming blocked port rules..."
. "$BASEDIR/include/ipv6_custom_blockincoming"
fi
if [ $IPV6BLOCKINCOMING ]; then
if [ $IPV6_BLOCKINCOMING ]; then
$IP6TABLES -A INPUT -p tcp --syn -j DROP
$IP6TABLES -A INPUT -p udp -j DROP
fi

View File

@ -27,6 +27,19 @@
# but if you want to make sure you have a current options file, define this to 0.
if [[ "$COMPAT_CONFIG" == "1" ]]; then
MODPROBE=`which modprobe`
# These are temp compatibility with old config files with IPv6
IPV6_FORWARD=${IPV6_FORWARD=$IPV6FORWARD}
IPV6_CONNTRACK=${IPV6_CONNTRACK=$IPV6CONNTRACK}
IPV6_BLOCKINCOMING=${$IPV6_BLOCKINCOMING=$IPV6BLOCKINCOMING}
IPV6_MARK=${IPV6_MARK=$IPv6_MARK}
IPV6_BLOCKED=${IPV6_BLOCKED=$BLOCKEDIPV6}
IPV6_CLAMPMSS=${IPV6_CLAMPMSS=$CLAMPMSSIPV6}
IPV6_INT=${IPV6_INT=$IPV6INT}
IPV6_LAN=${IPV6_LAN=$IPV6LAN}
IPV6_TRUSTED=${IPV6_TRUSTED=$IPV6TRUSTED}
IPV6_TCPPORTS=${IPV6_TCPPORTS=$IPV6TCP}
IPV6_UDPPORTS=${IPV6_UDPPORTS=$IPV6UDP}
IPV6_FORWARDRANGE=${IPV6_FORWARDRANGE=$IPV6FORWARDRANGE}
fi
PRERUN="$BASEDIR/prerun"

View File

@ -98,14 +98,9 @@ HACK_IPV4="NS-IN-DDOS"
# New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS
BLOCKEDIP=$BASEDIR/ipv4-blocked
# Block outgoing traffic on these TCP/UDP ports
# Obsoleted: Use BLOCKEDIP above in new format. Going away in 1.0
#BLOCKTCPPORTS="6881"
#BLOCKUDPPORTS="6881"
# Strip ECN off of packets - helps with blackholes
# Either individual IPs or 0.0.0.0/0
STRIPECN="0.0.0.0/0"
#STRIPECN="0.0.0.0/0"
# Block private LAN traffic (RFC reserved space) going OUT on these interfaces
# for security reasons. This has the potential to cause issues if your
@ -124,11 +119,11 @@ STRIPECN="0.0.0.0/0"
# IPv6 related features. Commenting out IPV6 variable disables ALL
# IPv6 related items
IPV6=1
#IPV6=1
# Do we want IPv6 FORWARD and Connection tracking features?
#IPV6FORWARD=1
#IPV6CONNTRACK=1
#IPV6_FORWARD=1
#IPV6_CONNTRACK=1
# Allow outgoing DNS requests - important if you did not activate connection
# tracking. Set this to the interfaces you wish to use for outgoing requests
@ -136,40 +131,39 @@ IPV6=1
#IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1"
# Default block all incoming ipv6 connections?
IPV6BLOCKINCOMING=1
#IPV6_BLOCKINCOMING=1
# Special case for routers that have ipv6 clients behind them.
# Useful if clients do not have proper ipv6 firewalls.
#IPV6ROUTEDCLIENTBLOCK=1
#IPV6_ROUTEDCLIENTBLOCK=1
# IP range(s) to forward
#IPV6_ROUTING=$BASEDIR/ipv6-routing
# Mark ipv6 packets for advanced purposes
#IPv6_MARK=$BASEDIR/ipv6-marks
#IPV6_MARK=$BASEDIR/ipv6-marks
# IPv6 Ranges to block all traffic incoming/outgoing
#BLOCKEDIPV6=$BASEDIR/ipv6-blocked
#IPV6_BLOCKEDIP=$BASEDIR/ipv6-blocked
# Clamp MSS, useful on DSL/VPN links
# Space separated list of interfaces to apply this on
# it may be used eventually.
#CLAMPMSSIPV6="he-ipv6"
#IPV6_CLAMPMSS="he-ipv6"
# Interface IPv6 comes in on (either tunnel or real network interface)
#IPV6INT=he-ipv6
#IPV6_INT=he-ipv6
# LAN interface for IPv6
#IPV6LAN=eth1
#IPV6_LAN=eth1
# Trusted IPv6 ranges
IPV6TRUSTED="::1"
#IPV6_TRUSTED="::1"
# Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to
# have same for both ipv4 and ipv6)
IPV6TCP=$TCPPORTS
IPV6UDP=$UDPPORTS
#IPV6_TCPPORTS=$TCPPORTS
#IPV6_UDPPORTS=$UDPPORTS
# IPv6 range to forward
#IPV6FORWARDRANGE=""
# Block outgoing IPv6 traffic on these TCP/UDP ports
#BLOCKIPV6TCPPORTS=$BLOCKTCPPORTS
#BLOCKIPV6UDPPORTS=$BLOCKUDPPORTS
#IPV6_FORWARDRANGE=""