brielle
/
SRFirewall
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

icmpv6 is evil.

master
bbruns 2014-04-12 23:55:11 +00:00
parent 10a5e966c7
commit 7b50a75f09
3 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bin/srfirewall
View File

@ -209,6 +209,7 @@ if [ "${EnableIPv6}" == "yes" ]; then
[[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6 [[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6
[[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6 [[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6
enable_v6_critical_icmp
Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT} Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT}
Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT} Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT}
Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT} Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT}

3
etc/chains.conf
View File

@ -12,4 +12,5 @@ FwdFilter="Fwd-Filter"
NAT="NAT" NAT="NAT"
PortForward="PortForward" PortForward="PortForward"
InPostRules="In-PostRules" InPostRules="In-PostRules"
OutPostRules="Out-PostRules" OutPostRules="Out-PostRules"
v6ICMP="IPv6-ICMP"

27
lib/iptables.inc
View File

@ -89,6 +89,7 @@ function setup_iptables_chains {
([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat
([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
[[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -N ${v6ICMP}
${VER_IPTABLES} -N ${InPostRules} ${VER_IPTABLES} -N ${InPostRules}
${VER_IPTABLES} -N ${OutPostRules} ${VER_IPTABLES} -N ${OutPostRules}
@ -120,6 +121,7 @@ function setup_iptables_chains {
([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward} ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward} ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
[[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -A INPUT -j ${v6ICMP}
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPostRules" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPostRules"
${VER_IPTABLES} -A INPUT -j ${InPostRules} ${VER_IPTABLES} -A INPUT -j ${InPostRules}
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPostRules" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPostRules"
@ -611,4 +613,29 @@ function enable_portfw {
done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf" done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi fi
}
function enable_v6_critical_icmp {
VER_IPTABLES=${IP6TABLES}
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 134-j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 135-j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
} }