diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 8c88124..cf80455 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -719,6 +719,75 @@ else fi +# ------------- +# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic +# --- Drop Tinc VPN Traffic +# ------------- + +[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true +[ "${drop_mndp,,}" == "no" ] && drop_mndp=false + +echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic" +if [[ -n "$drop_mndp" ]] && $drop_mndp ; then + for _dev in ${ext_if_arr[@]} ; do + + if $log_mndp || $log_all ; then + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: " + $ip6t -A INPUT -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: " + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: " + $ip6t -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: " + fi + fi + + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP + $ip6t -A INPUT -i $_dev -p udp --dport $standard_mndp_port -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP + $ip6t -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP + fi + + done + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Drop Multicast DNS Traffic +# ------------- + +[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true +[ "${drop_mdns,,}" == "no" ] && drop_mdns=false + +echononl "\tDrop Multicast DNS Traffic" +if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then + for _dev in ${ext_if_arr[@]} ; do + + if $log_mdns || $log_all ; then + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: " + $ip6t -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: " + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: " + $ip6t -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: " + fi + fi + + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP + $ip6t -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP + $ip6t -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP + fi + + done + echo_done +else + echo_skipped +fi + + # --- # - Don't allow spoofing out from this server # --- @@ -2666,11 +2735,11 @@ echo echononl "\tLogging all rejected traffic" if $log_rejected || $log_all ; then - #$ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " - #$ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " - #$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " - $ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): " + + $ip6t -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): " + $ip6t -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): " $ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): " + if $kernel_forward_between_interfaces ; then #$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " $ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): " diff --git a/ipt-firewall-server b/ipt-firewall-server index 1fa5ff6..5b01c4c 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -863,6 +863,72 @@ else fi +# ------------- +# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic +# --- Drop Tinc VPN Traffic +# ------------- + +[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true +[ "${drop_mndp,,}" == "no" ] && drop_mndp=false + +echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic" +if [[ -n "$drop_mndp" ]] && ${drop_mndp} ; then + for _dev in ${ext_if_arr[@]} ; do + + if $log_mndp || $log_all ; then + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: " + $ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: " + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: " + $ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: " + fi + fi + + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP + $ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP + $ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP + fi + + done + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Drop Multicast DNS Traffic +# ------------- + +[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true +[ "${drop_mdns,,}" == "no" ] && drop_mdns=false + +echononl "\tDrop Multicast DNS Traffic" +if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then + for _dev in ${ext_if_arr[@]} ; do + if $log_mdns || $log_all ; then + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: " + $ipt -A INPUT -i $_dev -p udp --sport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: " + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: " + $ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: " + fi + fi + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP + $ipt -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP + $ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP + fi + done + echo_done +else + echo_skipped +fi + + # --- # - Don't allow spoofing from that server # --- @@ -2827,15 +2893,16 @@ echo echononl "\tLogging all rejected traffic" if $log_rejected || $log_all ; then - #$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" - #$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" - #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" - $ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" + + $ipt -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" + $ipt -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" $ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" + if $kernel_activate_forwarding ; then #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" $ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" fi + echo_done else echo_skipped