IPv6 variable rename plus compattibility settings in static
bbruns
parent
c2dc9a4fd6
commit
fc6b4ed4ce
|
|
@ -3,8 +3,9 @@
|
|||
- More init script fixes.
|
||||
- Non-conntracked DNS reply packets allow options
|
||||
- Slightly improved IPv6 support to start to bring
|
||||
it up to par with IPv4 support.Ã
|
||||
it up to par with IPv4 support.
|
||||
- ipv6 marking support, changed ipv4 to use | instead of :
|
||||
- Renamed IPV6 variables, compatibility in place for now in static file
|
||||
|
||||
0.9.8a - Brielle Bruns <bruns@2mbit.com>
|
||||
- Fixing executable file permission issues
|
||||
|
|
|
|||
|
|
@ -618,10 +618,14 @@ if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
|
|||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [ "$BLOCKEDIPV6" ]; then
|
||||
if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then
|
||||
display_c YELLOW "Loading custom IPv6 blocked outbound port rules..."
|
||||
. "$BASEDIR/include/ipv6_custom_blockoutports"
|
||||
fi
|
||||
|
||||
if [ "$IPV6_BLOCKEDIP" ]; then
|
||||
display_c YELLOW "Adding blocked IPv6 addresses... "
|
||||
for i in `grep -v "\#" $BLOCKEDIPV6`; do
|
||||
for i in `grep -v "\#" $IPV6_BLOCKEDIP`; do
|
||||
if [[ "$i" =~ "|" ]]; then
|
||||
IFS_OLD=${IFS};IFS=\|
|
||||
ADVBLKIP=($i)
|
||||
|
|
@ -678,9 +682,9 @@ fi
|
|||
. "$BASEDIR/include/ipv6_custom_mssclamp"
|
||||
fi
|
||||
|
||||
if [ "$CLAMPMSSIPV6" ]; then
|
||||
if [ "$IPV6_CLAMPMSS" ]; then
|
||||
display_c YELLOW "Clamping IPV6 MSS to PMTU..."
|
||||
for i in $CLAMPMSSIPV6; do
|
||||
for i in $IPV6_CLAMPMSS; do
|
||||
$IP6TABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
|
||||
-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
|
||||
--mss 1280:1536
|
||||
|
|
@ -699,36 +703,15 @@ fi
|
|||
done
|
||||
fi
|
||||
|
||||
if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then
|
||||
display_c YELLOW "Loading custom IPv6 blocked outbound port rules..."
|
||||
. "$BASEDIR/include/ipv6_custom_blockoutports"
|
||||
fi
|
||||
if [ "$BLOCKIPV6TCPPORTS" ] || [ "$BLOCKIPV6UDPPORTS" ]; then
|
||||
display_c YELLOW "Blocking outbound port: " N
|
||||
if [ "$BLOCKIPV6TCPPORTS" ]; then
|
||||
for i in $BLOCKIPV6TCPPORTS; do
|
||||
echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
|
||||
$IP6TABLES -A OUTPUT -p tcp --dport $i --syn -j DROP
|
||||
done
|
||||
fi
|
||||
if [ "$BLOCKIPV6UDPPORTS" ]; then
|
||||
for i in $BLOCKIPV6UDPPORTS; do
|
||||
echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
|
||||
$IP6TABLES -A OUTPUT -p udp --dport $i -j DROP
|
||||
done
|
||||
fi
|
||||
reset_color
|
||||
fi
|
||||
|
||||
if [ -s "$BASEDIR/include/ipv6_custom_allowedports" ]; then
|
||||
display_c YELLOW "Loading custom IPv6 allowed port rules..."
|
||||
. "$BASEDIR/include/ipv6_custom_allowedports"
|
||||
fi
|
||||
if [ "$IPV6TCP" ] || [ "$IPV6UDP" ]; then
|
||||
if [ "$IPV6_TCPPORTS" ] || [ "$IPV6_UDPPORTS" ]; then
|
||||
display_c YELLOW "Adding allowed IPv6 port: " N
|
||||
if [ "$IPV6TCP" ]; then
|
||||
if [ "$IPV6_TCPPORTS" ]; then
|
||||
if [ "$IPTABLES_MULTIPORT" == "yes" ] && [ "$NF_MULTIPORT_MAX_PORTS" ]; then
|
||||
IPV6TCP=($IPV6TCP)
|
||||
IPV6_TCPPORTS=($IPV6_TCPPORTS)
|
||||
PORTS_COUNT=${#IPV6TCP[@]}
|
||||
PORTS_COUNT_CURR=0
|
||||
while (( "$PORTS_COUNT_CURR" < "$PORTS_COUNT" )); do
|
||||
|
|
@ -750,8 +733,8 @@ fi
|
|||
$IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT
|
||||
done
|
||||
fi
|
||||
if [ "$IPV6UDP" ]; then
|
||||
for i in $IPV6UDP; do
|
||||
if [ "$IPV6_UDPPORTS" ]; then
|
||||
for i in $IPV6_UDPPORTS; do
|
||||
echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
|
||||
$IP6TABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
|
||||
$IP6TABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
|
||||
|
|
@ -767,9 +750,9 @@ fi
|
|||
. "$BASEDIR/include/ipv6_custom_mark"
|
||||
fi
|
||||
|
||||
if [ -r "$IPv6_MARK" ]; then
|
||||
if [ -r "$IPV6_MARK" ]; then
|
||||
display_c YELLOW "Adding IPv6 mark: "
|
||||
for i in `grep -v "\#" $IPv6_MARK`; do
|
||||
for i in `grep -v "\#" $IPV6_MARK`; do
|
||||
MARK=( ${i//|/ } )
|
||||
INIF=${MARK[0]}
|
||||
INIP=${MARK[1]}
|
||||
|
|
@ -798,7 +781,7 @@ fi
|
|||
. "$BASEDIR/include/ipv6_custom_conntrack"
|
||||
fi
|
||||
|
||||
if [ "$IPV6CONNTRACK" ]; then
|
||||
if [ "$IPV6_CONNTRACK" ]; then
|
||||
$IP6TABLES -A INPUT -m state --state NEW -j ACCEPT
|
||||
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
$IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
|
@ -810,7 +793,7 @@ fi
|
|||
$IP6TABLES -A FORWARD -m state --state INVALID -j DROP
|
||||
fi
|
||||
|
||||
if [ $IPV6ROUTEDCLIENTBLOCK ]; then
|
||||
if [ $IPV6_ROUTEDCLIENTBLOCK ]; then
|
||||
$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
|
||||
$IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP
|
||||
$IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP
|
||||
|
|
@ -823,8 +806,8 @@ fi
|
|||
display_c YELLOW "Loading custom IPv6 routing rules..."
|
||||
. "$BASEDIR/include/ipv6_custom_routing"
|
||||
fi
|
||||
if [ "$IPV6FORWARDRANGE" ]; then
|
||||
for i in $IPV6FORWARDRANGE; do
|
||||
if [ "$IPV6_FORWARDRANGE" ]; then
|
||||
for i in $IPV6_FORWARDRANGE; do
|
||||
$IP6TABLES -A FORWARD -s $i -j ACCEPT
|
||||
$IP6TABLES -A FORWARD -d $i -j ACCEPT
|
||||
done
|
||||
|
|
@ -834,7 +817,7 @@ fi
|
|||
display_c YELLOW "Loading custom IPv6 incoming blocked port rules..."
|
||||
. "$BASEDIR/include/ipv6_custom_blockincoming"
|
||||
fi
|
||||
if [ $IPV6BLOCKINCOMING ]; then
|
||||
if [ $IPV6_BLOCKINCOMING ]; then
|
||||
$IP6TABLES -A INPUT -p tcp --syn -j DROP
|
||||
$IP6TABLES -A INPUT -p udp -j DROP
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -27,6 +27,19 @@
|
|||
# but if you want to make sure you have a current options file, define this to 0.
|
||||
if [[ "$COMPAT_CONFIG" == "1" ]]; then
|
||||
MODPROBE=`which modprobe`
|
||||
# These are temp compatibility with old config files with IPv6
|
||||
IPV6_FORWARD=${IPV6_FORWARD=$IPV6FORWARD}
|
||||
IPV6_CONNTRACK=${IPV6_CONNTRACK=$IPV6CONNTRACK}
|
||||
IPV6_BLOCKINCOMING=${$IPV6_BLOCKINCOMING=$IPV6BLOCKINCOMING}
|
||||
IPV6_MARK=${IPV6_MARK=$IPv6_MARK}
|
||||
IPV6_BLOCKED=${IPV6_BLOCKED=$BLOCKEDIPV6}
|
||||
IPV6_CLAMPMSS=${IPV6_CLAMPMSS=$CLAMPMSSIPV6}
|
||||
IPV6_INT=${IPV6_INT=$IPV6INT}
|
||||
IPV6_LAN=${IPV6_LAN=$IPV6LAN}
|
||||
IPV6_TRUSTED=${IPV6_TRUSTED=$IPV6TRUSTED}
|
||||
IPV6_TCPPORTS=${IPV6_TCPPORTS=$IPV6TCP}
|
||||
IPV6_UDPPORTS=${IPV6_UDPPORTS=$IPV6UDP}
|
||||
IPV6_FORWARDRANGE=${IPV6_FORWARDRANGE=$IPV6FORWARDRANGE}
|
||||
fi
|
||||
|
||||
PRERUN="$BASEDIR/prerun"
|
||||
|
|
|
|||
|
|
@ -98,14 +98,9 @@ HACK_IPV4="NS-IN-DDOS"
|
|||
# New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS
|
||||
BLOCKEDIP=$BASEDIR/ipv4-blocked
|
||||
|
||||
# Block outgoing traffic on these TCP/UDP ports
|
||||
# Obsoleted: Use BLOCKEDIP above in new format. Going away in 1.0
|
||||
#BLOCKTCPPORTS="6881"
|
||||
#BLOCKUDPPORTS="6881"
|
||||
|
||||
# Strip ECN off of packets - helps with blackholes
|
||||
# Either individual IPs or 0.0.0.0/0
|
||||
STRIPECN="0.0.0.0/0"
|
||||
#STRIPECN="0.0.0.0/0"
|
||||
|
||||
# Block private LAN traffic (RFC reserved space) going OUT on these interfaces
|
||||
# for security reasons. This has the potential to cause issues if your
|
||||
|
|
@ -124,11 +119,11 @@ STRIPECN="0.0.0.0/0"
|
|||
|
||||
# IPv6 related features. Commenting out IPV6 variable disables ALL
|
||||
# IPv6 related items
|
||||
IPV6=1
|
||||
#IPV6=1
|
||||
|
||||
# Do we want IPv6 FORWARD and Connection tracking features?
|
||||
#IPV6FORWARD=1
|
||||
#IPV6CONNTRACK=1
|
||||
#IPV6_FORWARD=1
|
||||
#IPV6_CONNTRACK=1
|
||||
|
||||
# Allow outgoing DNS requests - important if you did not activate connection
|
||||
# tracking. Set this to the interfaces you wish to use for outgoing requests
|
||||
|
|
@ -136,40 +131,39 @@ IPV6=1
|
|||
#IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1"
|
||||
|
||||
# Default block all incoming ipv6 connections?
|
||||
IPV6BLOCKINCOMING=1
|
||||
#IPV6_BLOCKINCOMING=1
|
||||
|
||||
# Special case for routers that have ipv6 clients behind them.
|
||||
# Useful if clients do not have proper ipv6 firewalls.
|
||||
#IPV6ROUTEDCLIENTBLOCK=1
|
||||
#IPV6_ROUTEDCLIENTBLOCK=1
|
||||
|
||||
# IP range(s) to forward
|
||||
#IPV6_ROUTING=$BASEDIR/ipv6-routing
|
||||
|
||||
# Mark ipv6 packets for advanced purposes
|
||||
#IPv6_MARK=$BASEDIR/ipv6-marks
|
||||
#IPV6_MARK=$BASEDIR/ipv6-marks
|
||||
|
||||
# IPv6 Ranges to block all traffic incoming/outgoing
|
||||
#BLOCKEDIPV6=$BASEDIR/ipv6-blocked
|
||||
#IPV6_BLOCKEDIP=$BASEDIR/ipv6-blocked
|
||||
|
||||
# Clamp MSS, useful on DSL/VPN links
|
||||
# Space separated list of interfaces to apply this on
|
||||
# it may be used eventually.
|
||||
#CLAMPMSSIPV6="he-ipv6"
|
||||
#IPV6_CLAMPMSS="he-ipv6"
|
||||
|
||||
# Interface IPv6 comes in on (either tunnel or real network interface)
|
||||
#IPV6INT=he-ipv6
|
||||
#IPV6_INT=he-ipv6
|
||||
|
||||
# LAN interface for IPv6
|
||||
#IPV6LAN=eth1
|
||||
#IPV6_LAN=eth1
|
||||
|
||||
# Trusted IPv6 ranges
|
||||
IPV6TRUSTED="::1"
|
||||
#IPV6_TRUSTED="::1"
|
||||
|
||||
# Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to
|
||||
# have same for both ipv4 and ipv6)
|
||||
IPV6TCP=$TCPPORTS
|
||||
IPV6UDP=$UDPPORTS
|
||||
#IPV6_TCPPORTS=$TCPPORTS
|
||||
#IPV6_UDPPORTS=$UDPPORTS
|
||||
|
||||
# IPv6 range to forward
|
||||
#IPV6FORWARDRANGE=""
|
||||
|
||||
# Block outgoing IPv6 traffic on these TCP/UDP ports
|
||||
#BLOCKIPV6TCPPORTS=$BLOCKTCPPORTS
|
||||
#BLOCKIPV6UDPPORTS=$BLOCKUDPPORTS
|
||||
#IPV6_FORWARDRANGE=""
|
||||
|
|
|
|||
Loading…
Reference in New Issue