firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix error droping ICMP packets. fix error dropping private networks.

Browse Source
This commit is contained in:
Christoph 2020-10-29 12:55:59 +01:00
parent bcdee40228
commit 96b3e162fe
2 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
ip6t-firewall-server
View File

@ -620,7 +620,7 @@ echononl "\tBlock spoofed (private/reserved) packets"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed || $log_all ; then if $log_spoofed || $log_all ; then
$ip6t -t mangle -A PREROUTING -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): " $ip6t -t mangle -A PREROUTING -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (Link Local Unicast): " #$ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (Link Local Unicast): "
$ip6t -t mangle -A PREROUTING -i $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Multicast: " $ip6t -t mangle -A PREROUTING -i $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Multicast: "
fi fi
done done
@ -631,7 +631,11 @@ fi
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -t mangle -A PREROUTING -i $_dev -s $ula_block -j DROP $ip6t -t mangle -A PREROUTING -i $_dev -s $ula_block -j DROP
$ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j DROP
# !! Does NOT work !!
#
#$ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j DROP
$ip6t -t mangle -A PREROUTING -i $_dev -s $multicast_ipv6 -j DROP $ip6t -t mangle -A PREROUTING -i $_dev -s $multicast_ipv6 -j DROP
done done
$ip6t -t mangle -A PREROUTING -s $loopback_ipv6 ! -i lo -j DROP $ip6t -t mangle -A PREROUTING -s $loopback_ipv6 ! -i lo -j DROP
@ -645,12 +649,13 @@ echo_done
echononl "\tDrop all ICMP traffic.." echononl "\tDrop all ICMP traffic.."
if [[ -n "$drop_icmp" ]] && $drop_icmp ; then if [[ -n "$drop_icmp" ]] && $drop_icmp ; then
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
$ip6t -t mangle -A PREROUTING -p ipv6-icmp -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: " $ip6t -t mangle -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: "
fi fi
$ip6t -t mangle -A PREROUTING -p ipv6-icmp -j DROP $ip6t -t mangle -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j DROP
echo_done echo_done
else
echo_skipped
fi fi
echo_skipped
# --- # ---
@ -662,12 +667,12 @@ echononl "\tDon't allow spoofing out from this server"
if $log_spoofed_out || $log_all ; then if $log_spoofed_out || $log_all ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " $ip6t -A OUTPUT -o $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
$ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " #$ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
$ip6t -A OUTPUT -o $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " $ip6t -A OUTPUT -o $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
$ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " $ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " $ip6t -A FORWARD -o $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
$ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " #$ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
$ip6t -A FORWARD -o $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " $ip6t -A FORWARD -o $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
$ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: " $ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
fi fi
@ -676,12 +681,12 @@ fi
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
$ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j DROP #$ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j DROP
$ip6t -A OUTPUT -o $_dev -s $multicast_ipv6 -j DROP $ip6t -A OUTPUT -o $_dev -s $multicast_ipv6 -j DROP
$ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP $ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
$ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j DROP #$ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j DROP
$ip6t -A FORWARD -o $_dev -s $multicast_ipv6 -j DROP $ip6t -A FORWARD -o $_dev -s $multicast_ipv6 -j DROP
$ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP $ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP
fi fi

3
ipt-firewall-server
View File

@ -797,8 +797,9 @@ if [[ -n "$drop_icmp" ]] && $drop_icmp ; then
fi fi
$ipt -t mangle -A PREROUTING -p icmp -j DROP $ipt -t mangle -A PREROUTING -p icmp -j DROP
echo_done echo_done
else
echo_skipped
fi fi
echo_skipped
# --- # ---