From 6966eff9038137a70e00e9fe3644dfe0963c9b16 Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 15 Aug 2017 14:04:18 +0200 Subject: [PATCH] Add rule to prevent bridged traffic getting pushed through the host's iptables rules if requested (do_not_firewall_bridged_traffic). --- ip6t-firewall-server | 14 ++++++++++++++ ip6t-firewall-server.conf.sample | 11 ++++++++--- ipt-firewall-server | 14 ++++++++++++++ ipt-firewall-server.conf.sample | 11 ++++++++--- 4 files changed, 44 insertions(+), 6 deletions(-) diff --git a/ip6t-firewall-server b/ip6t-firewall-server index f377888..1b64e4e 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -142,6 +142,20 @@ echo +# ------------- +# --- Prevent bridged traffic getting pushed through the host's iptables rules +# ------------- + +echononl "\tPrevent bridged traffic getting pushed through the host's iptables rules" +if $do_not_firewall_bridged_traffic ; then + $ip6t -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT + echo_done +else + echo_skipped +fi + + + # ------------- # ------------ Stopping firewall if only flushing was requested (parameter flush) # ------------- diff --git a/ip6t-firewall-server.conf.sample b/ip6t-firewall-server.conf.sample index a225f38..d56cb14 100644 --- a/ip6t-firewall-server.conf.sample +++ b/ip6t-firewall-server.conf.sample @@ -64,9 +64,14 @@ ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3" # - is this a virtuel system ? host_is_vm=false -# - Extern Interfaces Static Lines -# - (comma separated list) -#ext_if_static="eth0" +# - Prevent bridged traffic getting pushed through the +# - host's iptables rules +# - +# - Note: Maybe youe have also to activate forwarding +# - +# - Set: kernel_forward_between_interfaces=true +# - +do_not_firewall_bridged_traffic=false # - VPN Interfaces # - (comma separated list) diff --git a/ipt-firewall-server b/ipt-firewall-server index bf3a9e9..7c81529 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -221,6 +221,20 @@ echo +# ------------- +# --- Prevent bridged traffic getting pushed through the host's iptables rules +# ------------- + +echononl "\tPrevent bridged traffic getting pushed through the host's iptables rules" +if $do_not_firewall_bridged_traffic ; then + $ipt -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT + echo_done +else + echo_skipped +fi + + + # ------------- # ------------ Stopping firewall if only flushing was requested (parameter flush) # ------------- diff --git a/ipt-firewall-server.conf.sample b/ipt-firewall-server.conf.sample index 9bac5b8..0ee7d53 100644 --- a/ipt-firewall-server.conf.sample +++ b/ipt-firewall-server.conf.sample @@ -64,9 +64,14 @@ ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3" # - is this a virtuel system ? host_is_vm=false -# - Extern Interfaces Static Lines -# - (comma separated list) -#ext_if_static="eth0" +# - Prevent bridged traffic getting pushed through the +# - host's iptables rules +# - +# - Note: Maybe youe have also to activate forwarding +# - +# - Set: kernel_activate_forwarding=true +# - +do_not_firewall_bridged_traffic=false # - VPN Interfaces # - (comma separated list)