firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix error concerning variable 'loopback'

Browse Source
This commit is contained in:
Christoph 2019-06-30 01:24:46 +02:00
parent bbffa0fabb
commit 45b144f416
2 changed files with 21 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ip6t-firewall-gateway
View File

@ -450,25 +450,25 @@ if $protect_against_several_attacks ; then
for _dev in ${dsl_device_arr[@]} ; do for _dev in ${dsl_device_arr[@]} ; do
if $log_spoofed || $log_all ; then if $log_spoofed || $log_all ; then
$ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): " $ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): " $ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): " $ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): " $ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
fi fi
fi fi
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP $ip6t -A INPUT -i $_dev -s $ula_block -j DROP
$ip6t -A INPUT -i $_dev -s $loopback -j DROP $ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $ula_block -j DROP $ip6t -A FORWARD -i $_dev -s $ula_block -j DROP
$ip6t -A FORWARD -i $_dev -s $loopback -j DROP $ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j DROP
fi fi
# Don't allow spoofing from that server # Don't allow spoofing from that server
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
$ip6t -A OUTPUT -o $_dev -s $loopback -j DROP $ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
$ip6t -A FORWARD -o $_dev -s $loopback -j DROP $ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP
fi fi
done done
echo_done echo_done

29
ipt-firewall-gateway
View File

@ -824,12 +824,13 @@ if $protect_against_several_attacks ; then
# - Protection against syn-flooding # - Protection against syn-flooding
# --- # ---
$ipt -N syn-flood $ipt -N syn_flood
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN $ipt -A INPUT -p tcp --syn -j syn_flood
$ipt -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then if $log_syn_flood || $log_all ; then
$ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: " $ipt -A syn_flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
fi fi
$ipt -A syn-flood -j DROP $ipt -A syn_flood -j DROP
# --- # ---
@ -934,7 +935,7 @@ if $protect_against_several_attacks ; then
$ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " $ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
$ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: " $ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: "
$ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: " $ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: "
$ipt -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: " $ipt -A INPUT -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: "
$ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: " $ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: "
$ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: " $ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: "
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: " #$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: "
@ -943,7 +944,7 @@ if $protect_against_several_attacks ; then
$ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " $ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
$ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: " $ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: "
$ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: " $ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: "
$ipt -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: " $ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: "
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: " $ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: "
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: " $ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: "
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: " #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: "
@ -956,7 +957,7 @@ if $protect_against_several_attacks ; then
# Retfuse packets claiming to be from a Class C private network. # Retfuse packets claiming to be from a Class C private network.
$ipt -A INPUT -i $_dev -s $priv_class_c -j DROP $ipt -A INPUT -i $_dev -s $priv_class_c -j DROP
# Refuse packets claiming to be from loopback interface. # Refuse packets claiming to be from loopback interface.
$ipt -A INPUT -i $_dev -s $loopback -j DROP $ipt -A INPUT -i $_dev -s $loopback_ipv4 -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address. # Refuse Class D multicast addresses. Multicast is illegal as a source address.
$ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP $ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP
# Refuse Class E reserved IP addresses. # Refuse Class E reserved IP addresses.
@ -971,7 +972,7 @@ if $protect_against_several_attacks ; then
# Refuse packets claiming to be from a Class C private network. # Refuse packets claiming to be from a Class C private network.
$ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP $ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP
# Refuse packets claiming to be from loopback interface. # Refuse packets claiming to be from loopback interface.
$ipt -A FORWARD -i $_dev -s $loopback -j DROP $ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address. # Refuse Class D multicast addresses. Multicast is illegal as a source address.
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP $ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP
# Refuse Class E reserved IP addresses. # Refuse Class E reserved IP addresses.
@ -991,14 +992,14 @@ if $protect_against_several_attacks ; then
# quench to the loopback. # quench to the loopback.
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_to_lo || $log_all ; then if $log_to_lo || $log_all ; then
$ipt -A INPUT -i $_dev -d $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: " $ipt -A INPUT -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: "
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -d $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: " $ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: "
fi fi
fi fi
$ipt -A INPUT -i $_dev -d $loopback -j DROP $ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -d $loopback -j DROP $ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP
fi fi
done done
@ -1012,12 +1013,12 @@ if $protect_against_several_attacks ; then
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A: " $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A: "
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B: " $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B: "
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C: " $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C: "
$ipt -A OUTPUT -o $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback: " $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback: "
fi fi
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
$ipt -A OUTPUT -o $_dev -s $loopback -j DROP $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP
done done
echo_done echo_done